Security researchers have uncovered a cyber espionage ring focused on stealing corporate secrets for the purpose of gaming the stock market, in an operation that attempts to play the stock market. FireEye today released an intelligence report that details the work of a team of native-English speaking operators with extensive knowledge of the nuances in industries they targeted as well as financial practices. Designated by FireEye as FIN4, the group has been observed collecting information from nearly 100 publicly traded companies or their advisory firms, all parties who handle insider information that give a clear trading advantage to the attacker.

"Advanced threat actors conducting attacks to play the stock market to their advantage has long been a worry but never truly seen in action," said Dan McWhorter, VP of threat intelligence, FireEye. "FIN4 is the first time we are seeing a group of very sophisticated attackers actually systematically acquire information that only has true value to a criminal when used in relation to the stock market."

Unlike the often nation-state backed Advanced Persistent Threat groups originating from China and Eastern Europe, the group does not utilize malware, but it relies heavily on highly-targeted social engineering tactics and deep subject-matter expertise to deliver weaponized versions of legitimate corporate files. Specifically, FireEye found that since at least mid-2013, FIN4 has made product development, M&A strategies, legal issues, and purchasing processes of companies its target data points.

Victims also include firms in other sectors, as well as corporate advisors including investment bankers, attorneys and investor relations firms, according to FireEye.

FireEye researchers believe FIN4 to be US-based or, possibly, Western European.

FireEye researchers also found that while FIN4 has highly advanced techniques for breaking into an organization, they have security practices on the data they transmit. Stolen login credentials were shown to be transferred to FIN4 servers in plain text while the operators themselves use TOR to mask their locations and identities.

The full report, including examples of FIN4 targeted attacks, can be accessed at https://www2.fireeye.com/fin4.html.