In a development that will deeply alarm regulators and anyone investing in shares, security firm FireEye has revealed details of a hacking group that has launched targeted 'insider trading' attacks against senior executives in public firms and their advisors.
Dubbed 'FIN4' and operating since at least mid-2013, more than two thirds of the targets appear to be in the pharmaceutical, biotechnology and medical sectors, with another 20 percent legal advisors in mergers & acquisition to those industries. Around 12 percent were other firms quoted on stock markets.
According to FireEye, the sector focus is driven by a desire for insider trading information, including anything connected to drug development, clinical trials, insurance reimbursement, legal cases, in fact more or less anything that is not known publically but would influence a firm's share price if it became public.
Making sense of that sort of material would require more than technical knowledge of how to target executives and break into a company's system - the attacks appeared to have inside knowledge and understanding of these industries and knew that the sector is prone to large stock price movements, FireEye said.
What is fascinating is the way the attackers go to some lengths to target specific individuals of interest, even 'weaponising' already stolen documents related to M&A to target their associates. In one example, FIN4 had targeted five different organisations involved in an acquisition discussion, long before any outsiders knew about the deal.
That would make these attacks some of the most diligent targeting a company or industry ever documented. This is potentially the low road to the sort of data inside traders dream of. That makes it dangerous and probably hugely profitable.
"FIN4 knows their audience. Their spearphishing themes appear to be written by native English speakers familiar with both investment terminology and the inner workings of public companies. FIN4's phishing emails frequently play up shareholder and public disclosure concerns," said the report.
FireEye concludes that the group has already made money out of its hacking from share price movements.
Not everyone is convinced that benefitting from such insider attacks would be as easy as it might appear.
"Even if you know merger talks and due diligence are happening, it will still be tough to accurately trade on that information," commented vice president of M&A strategy at Intralinks, Matt Porzio.
"A lot of talks fall through or the stock price benefit takes a long time to materialise. You would still need a high degree of expertise to analyse deal info and do a deeper evaluation on what type of move to make and when."
Intralinks recommends that all M&A discussions using email should employ security mechanisms such as codenames to identify participants. Indeed, such strategies were common in the industry, which raises a question over what the FIN4 attackers would have gained by monitoring such communications. Worries over the accidental leakage of insider data is far from being a new concern after all.
Who might FIN4 be and where are they based? For once, not China or Russia. The most likely culprit was a criminal group based in the West or even the US itself - who saw that one coming? From public statements made to the media, FireEye executives said the group could even be trained in investment banking.
That would be an serious charge if any evidence of such a thing emerged because it implies a massive collapse in morality in fringe parts of an industry already badly strained by scandals during the financial crash of 2008. For the time being at least, the evidence is more ambiguous.