Back in June 2014, CNBC reported on an extraordinary cyber attack on a large hedge fund. According to an executive at BAE Systems, hackers used a tactic called “spear phishing” to trick hedge fund employees into opening e-mails that secretly installed malware on the hedge fund's servers. The BAE executive said that the hackers then built a lag into the hedge firm's order-entry system that exposed the hedge fund's proprietary strategy to the intruders, allowing them to "replicate it, trade ahead of it, trade around it, et cetera” to make significant trading profits.

Two weeks later, BAE acknowledged that the attack its executive described was not real but merely an “illustrative example” or “scenario” used by experts inside BAE Systems. Cybersecurity experts confirmed, however, that such an attack was entirely plausible. 

Today, there are reports of a similar, and real, attack. Cybersecurity firm FireEye Inc. released a report today stating that it is currently tracking a group of hackers that it calls "FIN4" that has targeted the email accounts of individuals with access to the most confidential information of more than 100 companies. FireEye said that since at least mid-2013, FIN4 has been targeting top executives, lawyers and others who may possess non-public information about merger and acquisition deals and major market-moving announcements, particularly in the healthcare and pharmaceutical industries. FireEye noted that access to inside information "that could make or break stock prices for dozens of publicly traded companies could surely put FIN4 at a considerable trading advantage."


Like the hackers in the "illustrative example" described by BAE Sytems, FIN4 also reportedly uses spearphishing to gain access to confidential emails. As described here, spearphishing is "an email that appears to be from an individual or business that you know. But it isn't. It's from the same criminal hackers who want your credit card and bank account numbers, passwords" and so on.  


The FireEye reports stated that of the over 100 companies targeted, 80% were publicly traded companies and 20% were "firms advising public companies on securities, legal and M&A matters" such as such as law firms, investment banks and investor relations firms. I believe the hack of this 20% could prove to be particularly problematic. While there could conceivably be an M&A deal or a market-moving announcement discussed in the emails of an employee at a single public company, it is far more likely that such information will be found in the emails of the law firms, investment banks and investor relations firms whose day-to-day business is to help public companies with such deals and other material developments and announcements.