Were FIN4 insider-trading hackers helped by rogue investment bankers?

Targeted 100 firms and their advisors, says FireEye

In a development that will deeply alarm regulators and anyone investing in shares, security firm FireEye has revealed details of a hacking group that has launched targeted 'insider trading' attacks against senior executives in public firms and their advisors.

Dubbed 'FIN4' and operating since at least mid-2013, more than two thirds of the targets appear to be in the pharmaceutical, biotechnology and medical sectors, with another 20 percent legal advisors in mergers & acquisition to those industries. Around 12 percent were other firms quoted on stock markets.

According to FireEye, the sector focus is driven by a desire for insider trading information, including anything connected to drug development, clinical trials, insurance reimbursement, legal cases, in fact more or less anything that is not known publically but would influence a firm's share price if it became public.

Making sense of that sort of material would require more than technical knowledge of how to target executives and break into a company's system - the attacks appeared to have inside knowledge and understanding of these industries and knew that the sector is prone to large stock price movements, FireEye said.

What is fascinating is the way the attackers go to some lengths to target specific individuals of interest, even 'weaponising' already stolen documents related to M&A to target their associates. In one example, FIN4 had targeted five different organisations involved in an acquisition discussion, long before any outsiders knew about the deal.

That would make these attacks some of the most diligent targeting a company or industry ever documented. This is potentially the low road to the sort of data inside traders dream of. That makes it dangerous and probably hugely profitable.

"FIN4 knows their audience. Their spearphishing themes appear to be written by native English speakers familiar with both investment terminology and the inner workings of public companies. FIN4's phishing emails frequently play up shareholder and public disclosure concerns," said the report.

FireEye concludes that the group has already made money out of its hacking from share price movements.

Not everyone is convinced that benefitting from such insider attacks would be as easy as it might appear.

"Even if you know merger talks and due diligence are happening, it will still be tough to accurately trade on that information," commented vice president of M&A strategy at Intralinks, Matt Porzio.

"A lot of talks fall through or the stock price benefit takes a long time to materialise. You would still need a high degree of expertise to analyse deal info and do a deeper evaluation on what type of move to make and when."

Intralinks recommends that all M&A discussions using email should employ security mechanisms such as codenames to identify participants. Indeed, such strategies were common in the industry, which raises a question over what the FIN4 attackers would have gained by monitoring such communications. Worries over the accidental leakage of insider data is far from being a new concern after all.

Who might FIN4 be and where are they based? For once, not China or Russia. The most likely culprit was a criminal group based in the West or even the US itself - who saw that one coming? From public statements made to the media, FireEye executives said the group could even be trained in investment banking.

That would be an serious charge if any evidence of such a thing emerged because it implies a massive collapse in morality in fringe parts of an industry already badly strained by scandals during the financial crash of 2008. For the time being at least, the evidence is more ambiguous.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityFireEye

More about FireEyeIntralinksWest

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place