Whoever said crime doesn’t pay wasn’t thinking out-of-the-box, or hasn’t met Ivan Turchynov, the purported leader of a Ukrainian hacking ring recently cracked by US Federal investigators and reported in the Washington Post on August 11th.
Apparently, the hackers worked with equity traders to generate upwards of $100MM in profits since 2010 by trading on stolen insider information. Stealing 150,000 corporate press releases before they were public, they were able to accurately predict stock prices after the information in the press releases became public. The most ingenious aspect of the scheme? They hacked into wire service companies like Business Wire, PR Newswire and Marketwired, not the individual companies. So, rather than hacking into Ford Motor Company’s network to steal the quarterly earnings press release 2 days before the announcement, they broke into the network of the company Ford hires to distribute the press release to the media. Thus, not only would Ford’s press release be there for the taking, but also similarly sensitive, not-yet-public releases from, literally, hundreds of public companies. Hack one network, and gain access to the sensitive information of hundreds of companies.
Quick quiz for our readers (True/False): an unreleased public company earnings press release is a classic example of sensitive, unstructured data.
True…with a capital “T”.
Switching gears briefly, let’s talk about the value of sensitive unstructured data versus the value of data one might find in a database, like a credit card or social security number. From Anthem hack: Personal data stolen sells for 10X price of stolen credit card numbers (Network World, February 2015):
“A complete identity-theft kit containing comprehensive health insurance credentials can be worth hundreds of dollars or even $1,000 each on the black market, and health insurance credentials alone can fetch $20 each; stolen payment cards, by comparison, typically are sold for $1 each.”
One dollar? Twenty dollars? Even $1,000. That’s nice, but it doesn’t jump from the page like $100 million. Certainly, not all unstructured data breaches generate a $100MM payoff, but this newswire caper highlights how sensitive and valuable Word documents, Powerpoint presentations, etc. can be. An organization’s secrets, embarrassing dialogues, intellectual property, strategies, financial plans, etc. all have to be communicated internally and externally in the form of unstructured data.
Lesson 1 from the news wire breach: unstructured data can be really, really valuable…really.
So how did the bad guys break into the newswire companies’ networks? From the Washington Post article:
“The hackers, who breached the wires and swiped employee credentials through a series of attacks…masked their movements through proxy servers and stolen employee identities and recruited traders with videos showcasing how swiftly they could steal corporate data before its release….The hackers tapped an armament of brute-force, injection and ‘spear-phishing’ attacks, bulldozing through security systems, implanting malicious code or persuading employees to click on booby-trapped links.”
Swiped employee credentials, stolen employee identities, brute force, spear-phishing…sounds like authentication-based attacks, by far the most popular among hackers, as they’re the easiest to conceal, meaning bad guys can operate on a network undetected for extended periods of time because they look like legitimate users.
And now, for my money, the most compelling part of the story:
“SEC investigators unraveled the scheme with the help of ‘enhanced trading surveillance’ technology…which can comb through millions of financial trades, track suspicious behavior and otherwise sniff out threats to ‘the integrity of our markets.’”
Take a minute to let that sink in. The breach was never detected by the information security systems at the wire services, but rather, was discovered by the SEC’s trading anomaly algorithms designed to identify suspicious trading activity that may be indicative of insider activity. No one at Business Wire, PR Newswire or Marketwired was aware that hackers were operating on their networks for 5 years. And, had the hacker ring been more careful or less obvious about how it was trading on the non-public information, the security breaches may never have been discovered, bringing us to Lesson 2:
Lesson 2 from the news wire breach: authentication-based attacks are bad, and once they’re inside the walls, everyone’s an insider, including the attackers.
Since the bad guys look like legitimate users, authentication-based attacks are highly difficult to identify, especially if the attackers are clever and patient. Which brings us to our final Lesson.
Lesson 3 from the news wire breach: STEALTHbits builds products that secure unstructured data – like quarterly earnings press releases – and detects authentication-based attacks. We definitely could have helped prevent or mitigate this attack, and we’d love to tell you all about that: firstname.lastname@example.org.