The Securities and Exchange Commission’s civil complaint outlining the details of an international insider trading scheme is an object lesson in how cybercriminals can monetize any information, not just customer records or intellectual property.
"They targeted the Securities and Exchange Commission with a series of sophisticated and relentless cyber-attacks, stealing thousands of confidential EDGAR filings from the Commission’s servers and then trading on the inside information in those filings before it was known to the market, all at the expense of the average investor," said U.S. Attorney Craig Carpenito, of the U.S. Attorney’s Office of New Jersey.
The Department of Justice charged two individuals for breaching the SEC’s Electronic Data Gathering, Analysis and Retrieval (EDGAR) system, stealing thousands of files containing confidential financial information, and sharing them with different groups of traders who bought and sold stocks based on that information. The EDGAR system holds financial records and related documents for publicly traded companies, and its test filing application lets companies submit files to ensure documents are being processed correctly. While these filings typically do not contain sensitive, non-public information, the SEC said in its complaint that sometimes companies submit documents with same or similar information that will appear in the actual filing.
This meant that some of the test files contained “earning results and material information that the companies had not yet released to the public,” the SEC said.
Information is Valuable
In this insider trading scheme, the attackers wanted early access to information that was going to become public eventually. They weren't looking for personal information that could be sold to identity thieves or financial data to resell on carder forums. They weren't after intellectual property as part of economic espionage. The success of the operation depended on timing—the thieves needed to get the information to rogue traders with enough time to make trades on stocks that would rise or fall once the information became public.
“In one instance, a test filing for ‘Public Company 1’ was uploaded to the EDGAR servers at 3:32 p.m. (EDT) on May 19, 2016. Six minutes later, the defendants stole the test filing and uploaded a copy to the Lithuania server. Between 3:42 p.m. and 3:59 p.m., a conspirator purchased approximately $2.4 million worth of shares of Public Company 1. At 4:02 p.m., Public Company 1 released its second quarter earnings report and announced that it expected to deliver record earnings in 2016. Over the next day, the conspirator sold all the acquired shares in Public Company 1 for a profit of more than $270,000,” the Department of Justice said in its release.
The Justice Department had charged the same defendant back in 2015 with a similar attack: the breach of newswire distribution companies that allowed thieves to steal press releases before they were publicly announced. The information from those press releases was also used by rogue securities traders to make illegal trades.
Enterprise security teams need to regularly assess what information needs to be protected, and which processes need extra security. The focus is often on the obvious—personal information and the "crown jewels" such as the list of customers, source code, top-secret recipe, and so on. In this case, criminals relied on the fact that some companies were submitting sensitive information in what was essentially a testing application. While the company didn't lose money directly (since the traders benefitted from making the transactions at the right time), the mistake resulted in a windfall for the group engaged in this operation.
The traders made transactions before at least 157 earnings releases between May and October 2016, to the tune of at least $4.1 million in profit, the Department of Justice said.
Investigations Take Time
The attackers initially gained access to the EDGAR system by sending phishing emails to SEC employees that appear to have originated from other SEC employees, and then infecting the victims’ computers with malware. They gained access to the test filings through directory traversal attacks, which lets attackers access restricted directories and execute commands outside of the web server’s root directory.
The methods used weren’t “sophisticated” in the sense of using exotic or unknown techniques, but they were still effective.
The attackers lost access to the test filing application in October 2016, after the SEC detected the breach and fixed the issues in EDGAR. They attempted to re-compromise SEC computers and regain access to EDGAR by sending phishing emails “spoofed to appear to have been sent by SEC security personnel”—attempts that continued into early 2017.
“None of the post-October 2016 efforts appear to have led to access to test filings containing material nonpublic information or to trading,” the Department of Justice said.
Even though the SEC fixed the issues in October 2016, it wasn’t until almost a year later when the agency realized the stolen documents had been used for insider trading. It sometimes take a while for investigators to figure out what the attackers did, or how the information was abused.