13/8/2015, by Bachir El Nakib (CAMS), Senior Consultant, Compliance Alert (LLC).


Federal investigators Tuesday cracked an alleged insider trading ring that used hackers to puncture public relations firms and steal company press releases, reaping more than $100 million in profits by trading on the influential information just hours before being made public.

The two key members of group, thought to be Ukrainian, and scores of co-conspirators breached the computer systems of Business Wire, Marketwired and PRNewswire Association LLC, over a five-year period, according to a federal indictment and related lawsuit by the Securities Exchange Commission (SEC).

Once the information was acquired – a total of more than 150,000 press  releases, that included corporate earnings details, which can dictate stock movements – the hackers worked with some half-dozen trading companies in the US and Ukraine.

Those traders used the advanced information to buy and sell shares and engage in options trading for dozens of companies, including Caterpillar, Boeing and Panera Bread, chiefly through retail brokerage accounts. Court documents stated the group targeted 100 companies and made more than 1,000 trades based on the purloined press releases, netting between $30 million and $100 million.

The case may also represent financial crime compliance failures as at least two shell companies cited in the indictment both had bank accounts at foreign institutions in Estonia and Macau, evincing these operations may not have asked deep enough due diligence questions to uncover the operations were shams.

As well, there could be anti-money laundering (AML) implications for domestic securities firms if the more than half-dozen trading operations involved – including names like E-trade and Fidelity Investments – are found to have had lax due diligence on the entities and individuals involved or failed to properly monitor or report on suspicious trading activity.

The case “highlights the lengths to which talented hackers working with rings of other individuals will go to steal data which is valuable,” said Joseph DeMarco, a partner at New York-based DeVore & DeMarco and the former Assistant US Attorney for the Southern District of New York, heading the computer hacking program.

The data was not itself “intrinsically valuable,” such as a hacker getting credit and debit card details, which can be turned around easily for profits, but was akin to a trade secret because it “allowed the front running of trades,” he said.

Hackers attacked on many fronts

The group allegedly used a wide array of cyber attack tactics to get into the systems, including:

  • Phishing: referred to an attempt to gain unauthorized access to a computer or computers by sending an email that appeared to be a legitimate communication from a trustworthy source, but contained malware or a link to download malware. Used to steal login credentials.
  • Reverse shells: a specific type of malware designed to initiate a connection to an external computer from within a hacked computer network.
  • SQL injection attacks: methods of hacking into and gaining unauthorized access to computers connected to the Internet using a series of SQL instructions. SQL, or structure query language, is a computer programming language designed to retrieve and manage information in computer databases.
  • Brute force attacks: “bruting” refers to decrypting data by running programs that systematically checked all possible passwords until the correct password was revealed.
  • Pass the hash: This methodology of bruting can be used to decrypt “password hashes,” which were strings of encrypted data generated when a password was passed through an encryption algorithm.

That one of the tactics to gain virtual entry to the PR firms was phishing – or simply sending individuals in the company emails with malicious links that, when clicked, can capture login or other details – is not surprising, even though it is a well-known attack vector, DeMarco said.

“Phishing and spear phishing and other social networking-related exploits continue to be a real challenge for even the most sophisticated organization,” he said.

Confident cyber thieves woo traders with recorded exploits

The hackers allegedly recruited traders with a video showcasing their ability to steal the earnings information before its public release.

The complaint charges that in return for the information, the traders sometimes paid the hackers a share of their profits, even going so far as to give the hackers access to their brokerage accounts to monitor the trading and ensure that they received the appropriate percentage of the profits.

The complaint charges that the traders sought to conceal their illicit activity by establishing multiple accounts in a variety of names, funneling money to the hackers as supposed payments for construction and building equipment, and trading in products such as contracts for difference (CFDs).

The group placed thousands of trades through a network of U.S. and overseas traders located in the Russian Federation, Ukraine, Malta, Cyprus, France, New York, Pennsylvania and Georgia – geographies electronically connected to form a wide-ranging illicit network.

As part of several raids, the government seized 17 bank and brokerage accounts containing more than $6.5 million of alleged criminal proceeds.

The government also took steps to restrain 12 properties, a shopping center located in Pennsylvania, an apartment building located in Georgia, and a houseboat, all worth more than $5.5 million. The charges include securities and computer fraud, identity theft and money laundering conspiracy.

Sophistication, creativity of criminal cyber groups growing

The case “illustrates the risks posed for our global markets by today’s sophisticated hackers,” SEC Chief Mary Jo White said.

Over the course of five years, the 32 defendants named in a corresponding SEC lawsuit carried out a “brazen scheme to steal non-public earnings information for hundreds of publicly traded companies,” she said.

Options, for instance, are trading structures that bet on if a stock with go up or down, and are typically timed to change after an event, such as an earnings report. The SEC also got an asset freeze of $20 million in illicit profits, according to White.

The group concealed their scheme by spreading the transactions across multiple accounts held in the names of many individuals and entities. And, the traders were “market savvy, using equities, options and contracts-for-differences to maximize their profits,” she said.

Truly surprising was the “level of sophistication and coordination of the hackers, the depth of trading information of the coconspirators and the fact that it went on for so long, was so wide ranging and involved people all over the globe,” DeMarco said.

Even so, there are “probably other cases out there like this that are similarly complex, far flung and long lasting, are being investigated and prosecuted,” he said. “But there are also many that will escape detection.”


Download File