A financially motivated advanced threat group, dubbed FIN4, has been carrying out ongoing attacks against the publicly traded companies in a likely attempt to play the stock market.
According to FireEye, FIN4 has been observed collecting information since 2013, from nearly 100 publicly traded companies, their advisory firms and all parties who handle insider information, giving the attacker a clear trading advantage.
“FIN4 appears to conduct intrusions that are focused on a single objective: obtaining access to insider information capable of making or breaking the stock prices of public companies,” FireEye’s threat intelligence team said in a blog. “The group specifically targets the emails of C-level executives, legal counsel, regulatory, risk, and compliance personnel, and other individuals who would regularly discuss confidential, market-moving information.”
Further, more than two thirds of the targeted organizations are healthcare and pharmaceutical companies—likely targeted since their stocks can move dramatically in response to news of clinical trial results, regulatory decisions or safety and legal issues.
“Unlike nation-state advanced threat groups originating from China or Eastern Europe tracked by FireEye, FIN4 does not utilize malware, and instead relies heavily on highly targeted social engineering tactics and deep subject matter expertise to deliver weaponized versions of legitimate corporate files,” a spokesperson told Infosecurity in an email. “This has allowed them to evade traditional detection and attribution. However, FireEye believe that FIN4 is either US-based or possibly Western European, as they have a strong command for English colloquialisms, regulatory and compliance standards and industry knowledge.”
This team of native-English speaking operators (with clear, extensive knowledge of the nuances in industries they targeted as well as financial practices) is using tactics that have never been seen before, according to FireEye.
“Advanced threat actors conducting attacks to play the stock market to their advantage has long been a worry but never truly seen in action,” said Dan McWhorter, vice president of threat intelligence at FireEye, in the firm’s analysis. “FIN4 is the first time we are seeing a group of very sophisticated attackers actually systematically acquire information that only has true value to a criminal when used in relation to the stock market.”
FireEye found that since at least mid-2013, FIN4 has made product development, M&A strategies, legal issues and purchasing processes of companies its target data points.
While FIN4’s unique methodology of not using malware allows the group to evade traditional detection and attribution. And, they have security practices on the data they transmit. Stolen login credentials were shown to be transferred to FIN4 servers in plain text while the operators themselves use TOR to mask their locations and identities.