Hackers trade on inside information to net $100M

Up to 32 stock traders and hackers are alleged to have infiltrated the computer servers of PRNewswire Association LLC, Marketwired and Business Wire, a unit of Warren Buffett's Berkshire Hathaway Inc, over a five-year period and used the early access to 150,000 news releases on mergers, acquisitions and financial results to trade prior to the information being made public.

Five traders involved have been arrested in morning raids in Georgia and Pennsylvania while four others indicted on hacking and securities fraud charges remain at large.

Prosecutors in Brooklyn and New Jersey accused the traders of accessing data processed by financial wires to buy and sell company shares in a scam that netted the nine men some US$ 30 million (£20 million). A wider lawsuit by the Securities and Exchange Commission listed more than two dozen individuals and companies as defendants in what was described as the largest fraud of its kind ever prosecuted which had earned US$100 million (£64 million) in illegal profits.

Among the defendants is US trader Vitaly Korchevsky from Philadelphia who previously ran a mutual fund and worked on Wall Street before starting his own hedge fund. Named in the 23-count New Jersey indictment are Ivan Turchynov, Oleksandr Ieremenko, Arkadiy Dubovoy, Igor Dubovoy and Pavel Dubovoy.

Bloomberg reports that the suspected hackers are thought to be in Ukraine, and says that the illegally obtained information was sent to associates in America and Ukraine to buy and sell shares in companies.  It is not known if there is any connection with a similar operation by a sophisticated hacking group dubbed “FIN4” which FireEye reported had tried to hack into email accounts at more than 100 companies, looking for confidential information on mergers and other market-moving events since mid-2013.

More than 100 companies were targeted in the latest action, including Panera Bread Co, Boeing Co, Hewlett-Packard Co, Caterpillar Inc and Oracle Corp, with “approximately 1,000 inside the window trades through retail brokerage accounts.” Money was then shifted offshore through Estonian banks, according to one of two federal indictments unsealed Tuesday.

An example of their activity was making a $1m profit in early 2012 when Caterpillar submitted news of a 36 percent profit hike to PRNewswire . During the 24 hours that the information sat in the wire's server the hackers bought $8.3 million in Caterpillar stock and options which rose 2 percent from $109.05 to $111.31 that day.

Acting Brooklyn US Attorney Kelly Currie announced the charges at a press conference in Newark, New Jersey yesterday saying: “Today's international case is unprecedented in terms of the scope of the hacking at issue, the number of traders involved and the number of securities and the amount of illegal profit.”

Ollie Whitehouse, technical director at NCC Group commented in a email to “We often see organised crime syndicates as one of the key cyber-threat actors, but rarely does the public see a concrete example like this which illustrates the size, scale and sophistication of these groups. The truth is these sorts of operations by criminals are happening all over the world and it is just another way that organised crime has adjusted to the 21st century.
“If your motivation is money then as a criminal you simply go where the money is. This incident underlines the risk posed to stock markets, associated organisations and their supply chains. They will be targeted, so their security strategy must reflect this and adapt accordingly, focusing on detection, response and resilience."

In an email to Matt Middleton-Leal, regional director, UK & I at CyberArk added: “While details of these breaches are emerging, it seems that attackers were able to access and take full control of the press release services' websites via privileged or administrative accounts. It's often said you're only as secure as your weakest link, and this is yet another example of how third parties can be used by attackers to infiltrate a target organisation for financial gain.

“The fact is that the exploitation of privileged accounts has been found to be the primary attack vector in almost 100 percent of cyber-attacks and data breaches in recent years. These access points provide the most far reaching access to a corporate network and the most sensitive information held within, which, in the case of this latest attack, is highly sensitive financial information prior to public release.

“With high-profile corporate network takeovers becoming more commonplace, it's time for organisations to re-assess security programmes by adopting the mind-set that the attacker is already inside. Ensuring that the privileged access granted to staff and third party contractors is tightly managed and monitored in real-time, with the option to detect and immediately terminate a suspicious session is vital to containing risk and limiting damage.”

Calling information the new currency, Martin Kleczynski, in comments emailed to, noted that cybercrime "revolves primarily around one single goal: making money" and that, in turn, "has brought in not only talented computer nerds but also organized criminals, drug dealers, smugglers and even now, stock traders."

Other experts emailed SC to note how sophisticated phishing attacks with excellent use of English and knowledge of financial markets were used and considered what might be done to thwart these attacks. Wieland Alge, VM & GM EMEA at Barrcuda Networks, said: "In today's digital age, data breaches that result from targeted email phishing have become increasingly common and sophisticated. Typically these messages appear to come from a well-known, trustworthy web site so initially those that have been the target of an attack, don't even realise they've fallen victim. There is, however, an even easier channel to attack - HR departments. They are typically flooded by unsolicited applications containing all types of attachments and they are encouraged and even obliged to open them. It is a must for IT security to implement countermeasures against targeted attacks using that channel."

And Eric Chui, president and co-founder of HytTrust, in comments emailed to, pointed out that the case demonstrates just how hard it is to uncover breaches. "It took over 5 years to detect and prosecute these crimes, which highlights how difficult it is to detect breaches, especially once the attacker is on the network," he said.

"Wire firms are obvious targets for cyber-criminals and the fact of the matter is that these companies store large amounts of sensitive – and valuable - data," said Alge. "However, at the end of the day all businesses have a duty of care to ensure that they have robust security systems in place to protect their own and their customers' data. If they fail to do so they are rolling the dice when it comes to their reputation, share value and ultimately long-term survival."

Ryan Barrett, VP of security and privacy at Intermedia, responded in an email to noting how employee simulation exercises can help prevent staff falling victim. He told SC: “Phishing based cyber-attacks are frequently successful because they rely on human error; whether it's ignoring an alert to install the latest software update, or being careless when clicking on links. Having good online hygiene — as shown by Marketwired's employees successfully identifying the phishing attempt and preventing the intrusion — mitigates a company's threat surface area.

"Hackers are putting in the man-hours to make these attacks more successful; businesses need to be doing the same to strengthen their security.

  • Staging simulated phishing attacks on your employees, before the attackers do, leads to well trained employees who are better equipped to spot phishing attacks and thwart them.
  • Businesses should register as many domains as they reasonably can that contain permutations of their actual domain. This helps to thwart would be spear phishers, because you've removed one of their core tools. It's inexpensive and can be very effective.
  • Additionally, these domains can be used to “phish” their own employees as an additional training method.

"An additional test is to leave non-company branded USB flash drives around the office and see who plugs them in to their laptops. Load the drive with a simple word document explaining how the device he or she just plugged into the laptop could have infected their machine (and likely the company's network). The goal isn't to chastise employees, but show them how quickly a simple misstep can quickly put them at risk. In fact, the ones who turn in the USB drive without plugging it in, should be rewarded."

Chiu called for organizations to reconsider what information could be considered valuable--and therefore a target. "Companies need to think beyond the obvious — credit card numbers, patient health information and government secrets — to really think about how data can be valuable in the hands of the wrong person,” he said. pointing out that uncovering breaches can be difficult.

This story originally appeared in with additional reporting by

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.