by Cydney Posner

Here is an unnerving warning from FireEye, a cybersecurity firm, discussed in this article from MarketWatch, regarding a sophisticated, native-English-speaking group, designated FIN4, that has targeted almost 100 public companies, primarily healthcare and pharma, to compromise their confidential information. What’s unusual here is that the apparent purpose of the intrusions is to engage in insider trading based on the stolen information; more typically, data is compromised because governments or cybercriminals are seeking to steal credit card or other financial data from retailers or to copy high tech firms’ recent innovations. According to a FireEye VP, “’[a]dvanced threat actors conducting attacks to play the stock market to their advantage has long been a worry but never truly seen in action….FIN4 is the first time we are seeing a group of very sophisticated attackers actually systematically acquire information that only has true value to a criminal when used in relation to the stock market.’” FireEye’s full report can be found here.  

According to the MarketWatch article, FireEye conducted a year-long investigation to uncover the group, which has “extensive knowledge of the nuances in industries they targeted as well as financial practices,”  along with “a strong command of English colloquialisms, regulatory and compliance standards, and industry knowledge.” Fin4 targets accounts of individuals who are likely to have market-moving information, such as information about M&A activities or new product development, focusing on executives, regulatory compliance personnel, consultants and researchers, as well as legal counsel, investor relations and investment banking firms.

MarketWatch reports that FIN4 does not use malware, but rather relies on “highly-targeted social engineering tactics and deep subject-matter expertise to deliver weaponized versions of legitimate corporate files.” This unique approach allows Fin4 “to evade traditional detection and attribution…. FireEye researchers also found that while FIN 4 has highly advanced techniques for breaking into an organization, they have security practices on the data they transmit. Stolen login credentials were shown to be transferred to FIN4 servers in plain text while the operators themselves use TOR (anonymity software that makes it hard to trace origins) to mask their locations and identities.”

According to this article in the NYT,  the attackers user email lures that “are precisely tailored toward each victim, written in flawless English and carefully worded to sound as if they were sent by someone with an extensive background in investment banking and with knowledge of the terms those in the industry employ. Different groups of victims … are sent different emails. Some senior executives have been duped into clicking on links sent from the accounts of longtime clients, in which the supposed client reveals that they found an employee’s negative comments about the executive in an investment forum. In other cases, attackers have used confidential company documents, which they had previously stolen, as aids in their deception. In some incidents, the attackers have simply embedded generic investment reports in their emails. In each case, the links or attachments redirect their victim to a fake email login page, designed to steal the victim’s credentials, so that the attacker can log into and read the contents of their emails.”

Indicators can be downloaded here.

Posted by Cydney Posner