According to CNBC, US federal prosecutors indicted for unauthorized entry into the US Securities and Exchange Commission database (SEC) several individuals.
According to authorities, a group of hackers from the USA, Russia and Ukraine managed to hack the database with corporate reports. Attackers had access to private information from May to, least, October 2016 of the year. Using this data, they were able to earn more than $4 million.
Details of the cyberattack
Cyber group was able to successfully attack the EDGAR system, which stores corporate documents of companies, whose shares are traded on the stock exchange. Hackers used phishing emails to infiltrate the SEC, containing malicious attachments. Letters were sent to SEC employees' e-mails, and after that, how did one of them run the attached file, the computer was infected.
As a result, Hackers gained unauthorized access to 157 profit statements, which have not yet been presented publicly. This data allowed cybercriminals to make transactions on the exchange., knowing, stocks of specific companies will rise or fall in the near future. Among the stolen documents: profit reports, mergers and acquisitions and other sensitive information.
Possession of such information before its official publication gives the insider a significant advantage in the market - according to the authorities, one of the traders involved in the scheme was able to earn $270 thousand in just one trading day. In total the criminal scheme brought $4,1 million income.
Hacking carried out by a group of seven people, the cyberattack lasted several months - from May to, least, October 2016 of the year. According to authorities, hackers were previously part of the group, hacked services with corporate press releases - then the data was also used for insider trading.
What's next
The incident triggered a new wave of discussions on the possible implementation of a monitoring system for insider transactions. Consolidated Audit Trail Database (CAT) should include information about all transactions, carried out on the US stock exchanges. Its main task is to collect data for analysis and detection of suspicious activity in the markets..
CAT implementation is constantly delayed, to date, the launch of the system is scheduled for November 2019 of the year. At the same time, representatives of the exchanges are not very happy about the plans to implement the system.. So the administration of the New York Stock Exchange asked the SEC to limit the amount of data collected in CAT.. Now it is planned, that the system will store information about 58 billion transactions, committed daily, as well as data about traders, including their social security numbers and dates of birth.
Carpenito said at a press conference on Tuesday, that thefts include thousands of valuable personal business documents. “After breaking into the EDGAR system, they stole projects [of these] reports, before the information was disseminated to the general public ", – he said.
These documents included quarterly income statements, plans of mergers and acquisitions and other important news, and criminals had the opportunity to view them before, how they were published for public storage, what influenced the stock prices of individual companies. Alleged hackers made transactions with reports, and also sold them to other illegal traders. According to Carpenito, one internal trader earned $ 270 000 in one day.
Hackers used malicious software, emailed to SEC staff. Then, after installing software on SEC computers, they sent information, which we were able to collect, from EDGAR system to servers in Lithuania, where did they ever use it, or distributed data to other criminals, said Carpenito. EDGAR Service operates in New Jersey, therefore, the Department of Justice branch in Newark was involved in the case.
Stephanie Avakyan, Co-Chair of the SEC's Enforcement Division, said, that the same criminals also stole the preliminary press releases, sent to three news services, although she did not name the news feeds. According to her, hackers used multiple brokerage accounts to collect illegal proceeds.
Justice Department accused two Ukrainians of hacking database – Alexandra Eremenko and Artem Radchenko. Seven more individuals and entities were also named in the SEC civil lawsuit for trafficking in illegal information: Sunjin Cho, David Kwon, Igor Sabodakha, Victoria Vorochek, Ivan Olefir, Andrey Sarafanov, Capyield Systems, Ltd. (belongs to Olefir) and Spirit Trade Ltd
Consolidated audit fears
Also at the time, the incident raised concerns about the SEC's Consolidated Audit Trail database., known as CAT. CAT was meant to record every deal and order – or shares, or options – made in the USA, in order to provide sufficient data for analysis to detect market manipulation and other malicious behavior.
Full CAT implementation suffers from delays, and the stock report should now start in November. New York Stock Exchange Asks SEC To Consider Data Limit, collected CAT, which will include data on 58 billions of daily transactions, as well as personal data of persons, making transactions, including their social security numbers and dates of birth.
In September 2017 SEC Chairman Jay Clayton announced, that the EDGAR database was hacked in a lengthy statement. The Commission stated, that the database was infiltrated 2016 year, but the incident was not discovered until August 2017 of the year.
“Cybersecurity is critical to the operation of our markets, and the risks are significant and, In many cases, systemic ", – said Clayton at the time. “We must also admit – as in the state, and in the private sector, including SEC, – that there will be incursions and that resilience and recovery is a key component of cyber risk management ".
