A group of cybercriminals with financial markets expertise has been discovered hacking companies across the globe, according to analysts from FireEye, a computer security company.
The group, designated "FIN4" by FireEye, has operated since at least mid-2013 and is known to have targeted 100 organizations — all of them publicly traded companies or advisory firms. About two-thirds of the hackers' targets are involved in the health care and pharmaceutical sectors.
For the most part, FIN4 targets individuals who might have access to sensitive, non-public information regarding mergers and acquisitions or upcoming, market-moving announcements.
In one case, for example, FIN4 launched simultaneous cyber campaigns against five organisations involved in a single merger deal. The attacks went on, unnoticed, for five months before the deal was reported in the media. In a second notable case, the gang monitored employees involved in US Medicaid rebates and government purchasing processes, which have the potential to significantly influence and alter stock prices.
Alaa Eddin Al Dabbagh, FireEye's Saudi Arabia-based regional sales manager, said the hackers attempt to go unnoticed as they gain sensitive information.
"They are capable of stealing information at a distance without anyone discovering them," he said. "This can then be used on the stock market. They (FIN4) can get their customers to buy stocks in that area."
To gain access to target computers, most cyber criminals use malware. FIN4, on the other hand, uses its deep subject-matter expertise and social engineering to deliver virus-laden copies of official corporate documents.
"They are very smart. They are using very simple techniques, but using them in a very smart way," Al Dabbagh explained. "By not using malware, they make it very difficult to use tools to detect them. They are just using spear phishing and social engineering to gain access to emails.
"They then smartly modify certain email accounts to connect to others, using these email accounts as a source for spear phishing others. It's very difficult to discover. There is no tool that can stop them ... With this group, they don't want to take over a network or a computer. They just want access to the emails."
Manipulating email accounts
During its investigation into FIN4, FireEye also found that the group uses a variety of sophisticated methods to evade detection by employees of the targeted company. For instance, the group has secretly manipulated email accounts to automatically delete messages with any mention of terms such as "hacked" to prevent employees from warning each other.
Additionally, Al Dabbagh noted that FIN4 appears to be comprised of native English-speakers well-versed in financial and business jargon. FireEye believes the group is based in the US, or possibly Western Europe.
"Not only do they have a very good level of English, but we have seen they have very good information and knowledge about how these public companies are working, the technology in use, and the inner workings of how they use their emails," he said. "The language and structure of the emails they are using looks like the original CEO or CIO is writing the email.
"These people are not only technical people who know only how to use technology and gain access to information. They know the victims and how they operate internally."
Al Dabbagh said he believes that FIN4 is comprised of dedicated professional criminals, rather than part-time hackers.
"These are full-time employees sitting there getting paid just to do this. They are not amateurs," he said. "They are just getting information that will guide them to the future of stock prices."
GCC countries most targeted
The group is the latest cyber gang discovered targeting major corporations. In early June, another security company, Symantec, announced they had uncovered a group that had targeted 49 companies, including at least three based in the UAE.
Such organizations present a clear threat to the UAE and other countries in the region, Al Dabbagh warned.
"In the cyber world, knowledge transfer is very important. Sometimes we see attacks happen in the States and a month or two later in Europe," he said. "It's no secret that GCC countries are among the most targeted.
"Sooner or later, these kinds of attacks that target the stock market will appear in the region, and companies should be aware of that and be prepared. If it hasn't happened already by now, it will be coming ... In a few years, this will be very, very common."
To protect against such threats, Al Dabbagh advised UAE companies to implement strict security policies and educate their workers.
"They should have awareness education programs for their employees to avoid falling victim to spear phishing and very simple attacks that can be avoided," he said. "It is recommended as well to have a serious security assessment by experts who can check the networks.
"Anyone who thinks that their data is safe from these attacks should think twice."
By Bernd Debusmann Jr.
