Mergers and hack-quisitions
There’s an event-driven hedge fund operating on the anonymous Tor network. A cyber group probably seeking a trading edge is targeting confidential information on pending mergers and acquisitions. What’s striking, as in many more sophisticated hacks, are the basic mistakes otherwise intelligent professionals make to let the intruders in.
The group, dubbed FIN4 by cybersecurity experts at FireEye, targets the emails of top executives and advisers. Unlike widely reported recent episodes of corporate espionage believed to originate in China, FireEye suggests FIN4 is a Western operation looking for early warning on M&A and other market-moving events.
With over 100 victims identified, more than two-thirds are public companies in the healthcare and pharmaceutical sectors where big price swings are common when deals or drug developments are announced. The vast majority are listed on U.S. exchanges.
Wall Street banks and law firms also aren’t impenetrable, despite their conscious efforts to protect clients’ confidential data. To get initial access, the hackers send fake emails using the language of Western M&A – sometimes aptly warning about the disclosure of confidential information – and luring their chosen targets into clicking links or opening attachments. These then generate authentic-looking pop-up messages asking for email credentials, sometimes mimicking the web version of Microsoft’s Outlook software. So armed, FIN4 can follow email conversations and use them to identify new targets.
Approaches like this are part of what the cybersecurity community calls “social engineering,” and they are critical to hacking success. A highly advanced, probably Western government-engineered piece of malware called Regin, made public last month by Symantec, deploys itself in several stages and covers its own tracks. But getting it into infected systems still often requires someone to fall for just the same kind of simple trick.
Most organizations can probably do more to ensure staff are on high alert for social engineering. The FIN4 group sounds convincing, though, so breaches are going to happen. Then it’s a question of detection. FIN4 often uses Tor software, beloved of shady and privacy-loving types alike, when accessing hijacked email accounts. That’s one way to spot the activity, FireEye says, but that can only limit the damage. It’s a new kind of hedge fund seeking a new kind of inside information – and just one more worry for the merger-minded.