Researchers at FireEye have issued a report on an attack group targeting C-level executives to get insider information that could be used to gain an advantage in the stock market.
FireEye has dubbed the group ‘FIN4’. Since mid-2013, researchers have linked them to attacks at more than 100 companies. All of the targeted organizations are either public companies or advisory firms that provide services to those companies, such as investment banking firms and legal firms. More than two-thirds are healthcare and pharmaceutical companies.
All but three of the public companies are listed on the NASDAQ or the New York Stock Exchange (NYSE). The remaining three are listed on non-U.S. exchanges.
“We are able to characterize FIN4’s activity from the incidents to which we have responded in our clients’ networks, FIN4’s attempts to compromise our managed service clients, our product detection data, and further independent research,” FireEye noted in a report on the group. “Our visibility into FIN4’s activities is limited to their network operations; we can only surmise how they may be using and potentially benefiting from the valuable information they are able to obtain. However one fact remains clear: access to insider information that could make or break stock prices for dozens of publicly traded companies could surely put FIN4 at a considerable trading advantage.”
According to FireEye, FIN4 focuses heavily on getting information about discussions related to mergers and acquisitions (M&A), and targets not only executives, but also regulatory, risk and compliance personnel as well as legal counsel and others. The group frequently uses lures related to M&A activity and the U.S. Securities Exchange Commission with visual basic applications (VBA) macros implemented to steal the usernames and passwords of these key individuals.
FIN4 has also utilized links to fake Outlook Web App (OWA) login pages in order to steal the user’s credentials. Once those credentials are in hand, the group then has access to real-time email communications and possibly insight into potential deals and their timing.
“Many of FIN4’s lures appeared to be stolen documents from actual deal discussions that the group then weaponized and sent to individuals directly involved in the deal,” according to the report. “In some cases, the discussions were public knowledge and widely reported in the media, while others were still in the early exploration and due diligence phases. In one instance, we observed FIN4 simultaneously target five different organizations involved in a single acquisition discussion. The group targeted individuals at the five firms several months before the organizations’ involvement in the acquisition talks went public.”
Given the group’s knowledge of English, regulatory and compliance standards and industry knowledge, FireEye researchers believe FIN4 to be either based in the U.S. or Western Europe.
“Advanced threat actors conducting attacks to play the stock market to their advantage has long been a worry but never truly seen in action,” said Dan McWhorter, VP of threat intelligence at FireEye, in a statement. “FIN4 is the first time we are seeing a group of very sophisticated attackers actually systematically acquire information that only has true value to a criminal when used in relation to the stock market.”
FireEye recommends organizations disable VBA macros in Microsoft Office by default and block the domains associated with the attack that are listed in the report, such as ellismikepage[.]info and rpgallerynow[.]info. In addition, organizations should enable two-factor authentication for OWA and any other remote access mechanisms to prevent credentials from being stolen and leveraged by the attacker.
“Companies can also check their network logs for OWA logins from known Tor exit nodes if they suspect they are victimized,” according to the report. “Typically, legitimate users do not use Tor for accessing email. While not conclusive, if paired with known targeting by this group, the access from Tor exit nodes can serve as an indicator of the group’s illicit logins.”