CybersecurityHackers well-versed in Wall Street vernacular hack publicly traded companies

Published 3 December 2014

Security firm FireEye’s recent reporton a group of hackers who have been infiltrating e-mail correspondence from more than 100 organizations, differs from the company’s previous reportson cyber criminals operating from China or Russia. This time, the hackers are based in North America or Western Europe, and are well-versed in Wall Street vernacular. The hackers, who FireEye named “FIN4” because they are one of many groups that hack for financial gain, targeted mostly publicly traded healthcare or pharmaceutical companies, along with their advisory firms, in pursuit of information that could affect global financial markets.

Security firm FireEye’s recent report on a group of hackers who have been infiltrating e-mail correspondence from more than 100 organizations, differs from the company’s previous reports on cyber criminals operating from China or Russia. This time, the hackers are based in North America or Western Europe, and are well-versed in Wall Street vernacular. The hackers, who FireEye named “FIN4” because they are one of many groups that hack for financial gain, targeted mostly publicly traded healthcare or pharmaceutical companies, along with their advisory firms, in pursuit of information that could affect global financial markets.

FIN4 probably focuses on these types of organizations because their stocks can move dramatically in response to news of clinical trial results, regulatory decisions, or safety and legal issues,” the report reads. All but three of the affected organizations were publicly listed on the New York Stock Exchangeor Nasdaq, and the others were listed on foreign exchanges.

Messages written in industry vernacular, sometimes disguised as e-mails from current or past clients, duped some senior executives into clicking on links embedded in email messages. The New York Times reports that in one case, hackers posed as an adviser to one of two companies in a potential acquisition. In some other cases, hackers relied on previously stolen confidential company documents to give the impression of authenticity. All identified victims clicked on links or opened attachments that redirected them to a fake e-mail login page, designed to steal the victim’s credentials.

Unlike other hacking groups uncovered by FireEye, FIN4 does not use malware to intrude further into a firm’s digital infrastructure. Instead FIN4 relies on information stored in victims’ e-mail accounts, and automatically deletes notices that inform an account owner of possible intrusion. “Given the types of people they are targeting, they don’t need to go into the environment; the senior roles they target have enough juicy information in their inbox,” said Jen Weedon, a FireEye threat intelligence manager. “They are after information protected by attorney-client privilege, safety reports, internal documents about investigations and audits.”

FireEye began responding to FIN4’s intrusions of e-mails belonging to top-level executives; legal counsel; regulatory, risk, and compliance officers, researchers; and scientists in mid-2013, but the company did not compile its findings until five months ago. FireEye has informed the FBI and notes that it is difficult to track the hackers because they logged into their victim’s e-mail accounts using Tor, the anonymity Web browser that directs Web traffic through Internet Protocol addresses around the world

 “We don’t have specific attribution but we feel strongly this is the work of Americans or Western Europeans who have worked in the investment banking industry here in the United States,” Weedon said. “But it’s hard because we don’t have pictures of guys at their keyboards, just that they are native English speakers who can inject themselves seamlessly into email threads.” She added that “If it’s not an American, it is someone who has been involved in the investment banking community and knows its colloquialisms really well.”