A criminal hacking group with an innate understanding of how Wall Street moves and what influences stock prices has found a soft spot in more than 100 publicly traded companies and is stealing, among other data, mergers and acquisitions intelligence.

The group is homed in on healthcare and pharmaceutical organizations, their advisory firms, including legal counsel, investor relations, and investment banking partners, and is using well-crafted phishing campaigns to steal legitimate email credentials. Once they gain access to an email account belonging to a top executive, outside consultant, legal counsel or researcher, they’re able to gain insider information that could influence stock prices and put them at a trading advantage.

Researchers at FireEye released a report today on the group they’re calling FIN4, which has been active since mid-2013. Threat intelligence manager Jen Weedon said the group is likely American because of its grip on English, use of slang, and comprehensive understanding of Wall Street dynamics. She said there is no evidence of typical APT-style nation-state involvement.

“It appears to me that these guys are stealing information that would give them a leg up in the stock market,” Weedon said. “We don’t know if they’re tied into any broader organized crime; they’re unlike anything we’ve ever actually tracked. Without having a huge amount of visibility into exactly who they are, my impression is that they’re probably guys who worked on Wall Street before and are not career criminals, but perhaps have found a fruitful side project.”

Weedon said that more than 100 companies have been compromised by this group, 68 percent of those in the healthcare and pharmaceutical industries and another 20 percent that act in an advisory capacity, advising on securities, legal questions and other issues relevant to M&A activity. Organizations that have been compromised have been notified by FireEye and or law enforcement. The FIN4 group, however, is still active and Weedon said a new command and control server has been discovered since publication of FireEye’s report today.

The group moves stolen data over Tor, using it also to log into compromised email accounts.

The group moves stolen data over Tor, using it also to log into compromised email accounts. Two command and control server domains—junomaat81[.]us and lifehealthsanfrancisco2015[.]com—were recently active; FireEye said it has found nine C&C domains to date.

The group is not using any malware; instead they’re using phishing emails with lures appealing to investor and shareholder concerns, such as public disclosures of confidential information. A Microsoft Office document is attached in most cases, containing a Visual Basic Application which pops up a phony Outlook dialog box asking for the user’s credentials. In some cases, where VBA macros are disabled, the user is sent a link to a phony Outlook Web Access site. The macros, meanwhile, could be off the shelf, commodity VBA macros, Weedon said, adding that FireEye is unsure of their origin.

Often, Weedon said, the lures are documents stolen from other victims in the same M&A deal, lending a measure of authenticity to the attack. Once inside an inbox, the attackers not only have access to sensitive documents and communication, but they can also inject themselves into a discussion thread and influence discussions in a manner that’s advantageous to the attackers. In another twist, FireEye said it has seen Outlook rules that have been implemented on victims’ accounts that route email messages to the Deleted folder containing keywords such as “malware,” “hacked,” “phishing,” and more, presumably to keep alerts from IT organizations from reaching the victims’ inboxes.

The concentration on healthcare and pharmaceuticals, FireEye said, is likely because stocks in those industries fluctuate rapidly in response to industry, regulatory or legal news.

“They seem to be very successful just by capturing credentials and then getting into peoples’ email and siphoning off documents in those emails. They don’t seem to need to go deeper into the environment or leverage malware to bring their operations to the next level,” Weedon said. “This specific group doesn’t show the same types of habits and predictable behavior we see out of the more robust Eastern European, Russia cybercrime groups.

“The biggest takeaway is their knowledge of what information to get that would allow them to have some sort of privileged insight into Wall Street dynamics,” Weedon said. “That’s to me what sticks out most, that they’re subject matter experts to the hilt.”

Categories: Critical Infrastructure, Hacks