Year-long Investigation by FireEye Reveals Potentially US-Based FIN4 Heavily Targeting Publicly Traded Healthcare and Pharmaceutical Companies
FireEye has released a comprehensive intelligence report that assesses that a financially motivated advanced threat group has been carrying out ongoing attacks against publicly traded companies in a likely attempt to play the stock market.
The report – Hacking The Street? FIN4 Likely Playing the Market – details the work of a team of native English-speaking operators with extensive knowledge of the nuances in industries they targeted as well as financial practices. Designated by FireEye as FIN4, the group has been observed collecting information from nearly 100 publicly traded companies or their advisory firms, all parties who handle insider information that give a clear trading advantage to the attacker.
“Advanced threat actors conducting attacks to play the stock market to their advantage has long been a worry but never truly seen in action,” said Dan McWhorter, VP of threat intelligence, FireEye. “FIN4 is the first time we are seeing a group of very sophisticated attackers actually systematically acquire information that only has true value to a criminal when used in relation to the stock market.”
While FIN4’s unique methodology of not using malware allows them to evade traditional detection and attribution, the report provides analysis of the social engineering and document weaponization the group employs as identified through FireEye investigations and detections. FireEye researchers also found that while FIN4 has highly advanced techniques for breaking into an organization, they have security practices on the data they transmit. Stolen login credentials were shown to be transferred to FIN4 servers in plain text while the operators themselves use TOR to mask their locations and identities.