Hackers with Wall Street expertise have stolen merger-and-acquisition information from more than 80 companies for more than a year, according to security consultants who shared their findings with law enforcement.
A group dubbed FIN4 by researchers at FireEye Inc. has been tricking executives, lawyers and consultants into providing access to confidential data and communications, and probably using the information for insider trading, FireEye said in a report today. The hackers' sophistication suggests they've worked in the financial sector, Jen Weedon, FireEye's manager of threat intelligence, said in an interview.
The report is the most detailed to date suggesting that hacking may be the basis for a new wave of insider trading, following a crackdown by U.S. prosecutors over the last three years that focused on mining information through personal connections and payoffs. FireEye said it couldn't discount that the hackers provided the data to traders or a hedge fund.
"We suspect they are Americans, given their Wall Street inside knowledge," Weedon said. "They seem to have worked on Wall Street."
Most of the cases detected involved health-care or pharmaceutical companies, whose stock prices swing on news of mergers, clinical-trial results and regulatory decisions, according to Milpitas, California-based FireEye. FireEye didn't identify any targets of the hacking.
"Access to insider information that could make or break stock prices for over 80 publicly traded companies could surely put FIN4 at a considerable trading advantage," FireEye said in the report.
FireEye turned over the information it gathered in its investigation to the U.S. Federal Bureau of Investigation, Weedon said. The FBI is reviewing the report and can't comment, Joshua Campbell, a spokesman, said in an e-mail.
In one example FireEye tracked, the hacking group obtained a confidential document prepared for the U.S. Securities and Exchange Commission about a public company's attempted acquisition.
Hackers then used the document for what is known as a spearphishing e-mail, an attempt to persuade someone to reveal a password. Because the document was real, it gave the deception credibility, Weedon said.
The successful attacks were focused on two companies advising the unidentified public company, according to the report, which said the company's share price "varied significantly" after news of the possible acquisition became public.
"It is likely that FIN4 used the inside information they had to capitalize on these stock fluctuations," the report said.
A team at FireEye has been tracking the attacks for more than a year and believes they began in mid-2013. Targets included more than 100 publicly traded companies, law firms, outside consultants and investment bankers, the report said.
Of the targets, 68 percent were publicly traded health-care and pharmaceutical companies and 12 percent were public companies in other industries, according to the report. Advisers made up the remaining 20 percent.
The e-mails targeting executives, lawyers and others were written by native English speakers who knew investment terms and the inner workings of public companies, according to the report.
"FIN4 knows their targets," the report said.
Instead of infecting target computers with malware, the hackers obtained e-mail passwords and logged in to monitor communications, the report said.
"In order to get useful inside information, FIN4 compromises the e-mail accounts of individuals who regularly communicate about market-moving, non-public matters," the report said.
The SEC has in the past sanctioned people who traded on confidential information obtained through hacking. In 2005, the agency sued two Estonian traders for breaking into the systems of Business Wire, which distributes press releases about corporate earnings, mergers and regulatory actions. The traders, who agreed to pay more than $14 million to settle the claims, got an early peek at more than 360 press releases, according to the SEC.
In 2010, the SEC accused a Ukrainian trader, Oleksander Dorozhko, with fraud, claiming he hacked into the systems of an investor-relations firm to get early access to the earnings of a healthcare company.