U.S. Issues Multiple Charges For 2016 SEC Hack

The two were able to hack into the SEC’s computer systems due to phishing attacks that stole credentials and spread malware.

Two Ukrainains have been indicted in hacking the U.S. Securities and Exchange Commission (SEC) in order to steal and sell non-public, confidential information from publicly-traded companies.

The two have been charged as part of a large-scale conspiracy to hack the SEC’s computer systems and profit by trading on critical information they stole, the Department of Justice said in a Tuesday indictment. The SEC hack was first disclosed Sept. 20, 2017, but it is not until now that those believed involved, as well as the full details of the scheme, have been revealed.

In total, the traders who used this information traded before at least 157 earnings releases from May to October 2016 – and generated at least $4.1 million in illegal profits, according to the SEC.

“The defendants charged in the indictment announced today engaged in a sophisticated hacking and insider trading scheme to cheat the securities markets and the investing public,” U.S. Attorney Craig Carpenito said in a statement. “They targeted the Securities and Exchange Commission with a series of sophisticated and relentless cyber-attacks, stealing thousands of confidential EDGAR filings from the Commission’s servers and then trading on the inside information in those filings before it was known to the market, all at the expense of the average investor.”

The two hackers charged by the U.S., Artem Radchenko, 27, and Oleksandr Ieremenko, 26, are both of Kiev, Ukraine. An array of traders from California, Russia and Ukraine were also involved in the scheme, according to authorities.

SEC hack US indictment

Photo Courtesy of the SEC

The DoJ said that the two hacked into the SEC’s Electronic Data Gathering, Analysis and Retrieval (EDGAR) system between February 2016 to March 2017. The EDGAR system is used by publicly traded companies to file required disclosures.

In order to access the SEC’s computer networks, the defendants used a series of “targeted cyber-attacks,” said the DoJ.

That included phishing attacks and directory traversal attacks, which are HTTP attacks that enable attackers to access restricted directories and execute commands outside of the web server’s root directory.

The two are also accused of inducing SEC computer users to open documents containing malware sent via spoofed, phishing emails that falsely represented they had been sent by SEC security personnel.

Once the hackers had access to the test filings on the EDGAR system, they stole them by copying the test filings to servers they controlled, said the DoJ. “For example, between May 2016 and October 2016, the defendants extracted thousands of test filings from the EDGAR servers to a server they controlled in Lithuania.”

The hackers stole “thousands of files,” including annual and quarterly earnings reports containing confidential, non-public, and financial information (which these publicly traded companies are required to disclose to the SEC).

“These filings contained detailed information about the financial condition and operations of the companies, including their earnings,” said the DoJ. “Such information can, and often does, affect the stock price of the companies when it is made public, and is therefore highly confidential prior to its disclosure to the general public.

The two then profited by selling access to the confidential info in these reports and trading on this stolen information prior to its distribution to the investing public, according to the indictment.

The EDGAR system wasn’t the only one impacted – the two also looked targeted draft press releases on newswire services, which often contain material nonpublic information to be included in the final public version of companies’ press releases.

From 2010 until 2015, Ieremenko and others, the SEC claims, also hacked multiple newswire services’ computer systems and accessed over 100,000 draft press releases before they were published.

The SEC hacking incident shed light on the potential fall out of a cyberattack on U.S. markets.

“This action illustrates that the SEC faces many of the same cybersecurity threats that confront exchange-listed companies, other SEC-registered entities and market participants of all types,” said SEC chairman Jay Clayton in a Tuesday statement.  “These threats to our marketplace are significant and ongoing and often involve threats from actors outside our borders.”

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.