Broadly speaking, there are two good reasons why financial markets make good targets for criminals — cyber or otherwise. Firstly, simply, it’s where a lot of the money is. In the week this podcast episode was written, daily trading volume on the New York Stock Exchange averaged 2.3 billion dollars. On the Nasdaq: 2 billion dollars. On the Chicago Board Options Exchange: 1.5 billion. Altogether, then, the United States’ three biggest stock markets combine for nearly 6 billion dollars worth of trades every day, 30 billion in a week. And that’s not even taking into account the multi-billion-dollar per-day foreign exchange market.
Finance isn’t all about money, though. It’s our jobs and salaries, the prices we pay for things, the quality of products and services we receive. By nature it is a fast-moving and highly-interconnected system — with companies relating to other companies and investors and banks in every corner of the world, every player forming one tiny nook in a giant web. That’s why even something seemingly insignificant can trigger a disruption to the entire world. Like how something called a “mortgage-backed security” caused such a chaos in America, that the effects were felt even a decade later all the way in Asia.
You’d have to say that, short of electricity and running water, there are few systems so vital to modern society as financial markets. Few systems so fragile, with the potential for truly catastrophic consequences.
In the lower floors of an 11-story office building, located in suburban Washington D.C., sit a crossfit gym and a fondue restaurant. If you go there — once you’re finished working out and eating cheese — you might take the elevator up to visit the National Cybersecurity and Communications Integration Center. (Assuming you have clearance, of course.) NCCIC is the home of cyber threat analysis and response for the United States government.
In the early days of 2011, the NCCIC headquarters played host to an emergency meeting. Sat in one of their conference rooms, and calling in via teleconference, were a smorgasbord of officials from almost every major U.S. agency worth knowing: the NSA, the FBI, Department of Defense, Homeland Security, even the Treasury. Together, over a fondue lunch, they discussed a cyberattack that could very well compromise national security.
(You know, maybe the fondue part was just for your imagination. But even government officials need to eat lunch, right? When NSA and FBI agents get together to discuss national security, do they order Chinese food delivery? Or do their mommys make them PB&J sandwiches with the crusts cut off? Food for thought. Anyway…)
By 2011, the notion of a cyberattack against critical infrastructure wasn’t new — in fact, it was the flavor of the day. Stuxnet had just rocked a uranium facility in Iran. But as one veteran government official told Bloomberg, the United States had never experienced such a crisis. Until now.
It was a couple months prior when an FBI system monitoring U.S. internet traffic flagged suspicious activity. The activity was directed at computer systems belonging to the Nasdaq stock exchange: the heart, alongside the New York Stock Exchange, of the American financial system. According to Bloomberg, when officials at the NCCIC were briefed, quote, “it only took them minutes to agree that the incursion was so serious that the White House should be informed.” End quote. The following day, officials from the Justice and State departments, and the CIA, were briefed. They escalated to the Pentagon and, eventually, the matter was presented to President Obama.
The issue was that, the more they learned about the attack, the worse it seemed to get. When teams of FBI agents visited Nasdaq headquarters at One Liberty Plaza in Manhattan, as well as their data center in nearby Carteret, New Jersey, they found multiple clues indicating that the attacker was not some lone hacker, or an internet group, but a bona fide nation-state. The attackers had clearly taken the time to learn about Nasdaq’s systems, and exploited not one but two zero-day vulnerabilities in order to deploy their malware — a spyware program originally developed by the FSB, Russia’s answer to the FBI. This spyware didn’t just collect data, though — the NSA suspected that it could also wipe entire systems clean.
What would happen if the attackers activated that feature, and the data at the heart of the global financial system were completely erased? How many billions of dollars were on the line?
If that were the end of it, it would’ve been bad enough. But according to Bloomberg, quote:
“Agents found the tracks of several different groups operating freely, some of which may have been in the exchange’s networks for years, including criminal hackers and Chinese cyberspies. [. . .] Investigators also discovered that the website run by One Liberty Plaza’s building management company had been laced with a Russian-made exploit kit known as Blackhole, infecting tenants who visited the page to pay bills or do other maintenance.”
FBI investigators might have learned more concrete details about all these threats, but Nasdaq’s servers weren’t equipped with any software for basic recordkeeping. So whatever the hackers had been doing — for however long they’d been doing it — was unknown. One investigator put it simply, calling Nasdaq’s systems a “dirty swamp.”
Have you ever heard about a successful critical infrastructure compromise with a happy ending? This might be the only one.
After further analysis, the NSA discovered that the malware in Nasdaq’s servers did not, in fact, have wiper capabilities. It was capable of capturing and manipulating data, but when an FBI team collaborated with stock market regulators to algorithmically analyze thousands of Nasdaq transactions, they discovered no evidence of tampering at all. So if the attackers didn’t want to destroy the Nasdaq, or manipulate it for profit, what did they want? To this day it’s never been proven, but here’s the most substantiated theory:
At the very same time as the Nasdaq hack, the Russian government was preparing to overhaul their financial system. The biggest Russian corporations were all listed on exchanges like the Nasdaq, instead of at home in Moscow, causing disproportionate Western influence in their own economy. So the government merged its two biggest exchanges — the Micex and RTS — into one, creating what they hoped would be a new global financial hub. U.S. investigators believed that, quote, “the Russians weren’t trying to sabotage Nasdaq. They wanted to clone it, either to incorporate its technology directly into their exchange or as a model to learn from. And they dispatched an elite team of cyberspies to get it.”
It’s as they say: imitation — through sophisticated cyber espionage — is the sincerest form of flattery.
It’s not clear whether, in the dozen years since Nasdaq’s hacks, there have been any attacks against exchanges, or the infrastructure they run on. And yet, many hackers have made millions of dollars hacking the stock market, using schemes far simpler and more clever, like the “hack, pump and dump.”
Hack, Pump and Dump
AmeriServ Financial’s headquarters exudes BSE, Big Seventies Energy: we’re talking brutalist architecture, with beige bricks slowly losing their color, the saddest little plants potted outside, and an entire face of the building without a single window. This bank holding company, you could probably tell, is not a major player on the world stage.
On any given day in 2009, a couple thousand shares of AmeriServ stock might change hands. At $2 a share, it was hardly noticeable. On December 21st, though, the volume of AmeriServ shares traded on the market was 277,000.
The reason traced all the way to St. Petersburg, Russia, with a balding 40-something gentleman named Valery Maltsev. Maltsev was running a scheme that, from August to December of 2009, transformed an investment of $2,080 into a return of $627,633. The plot was simple.
First, Maltsev’s company would accumulate shares in some cheap and unpopular stock. Then, either on his own, or through another undisclosed hacker or hackers, he would take control over online brokerage accounts belonging to unwitting suspects. Using those accounts, he’d purchase huge volumes of shares, as fast as possible, in order to inflate the price. Then he’d sell all of his own shares, reaping the profit, and leaving those hacked accounts holding the bag.
Even after the Security and Exchange Commission — the SEC — froze his assets, and settled for a penalty of 1.33 million dollars, they never figured out if it was Maltsev who was doing the hacking. Even if he wasn’t getting his hands dirty, authorities noted that his accounts, quote, “generated trading profits so large and so rapid that no reasonable executive could have believed that they were legitimate, at least not without receiving a remarkable and well-supported explanation.”
The simplicity in the hack, pump and dump is that you need not engage with any large and sophisticated infrastructure. From a technical perspective, Maltsev did no more than take over individual trading accounts — something that can be achieved, in most cases, with simple social engineering methods, no computer skills necessary. For more about that, check out our latest podcast episode on vishing.
In the years since Maltsev, hackers have improved upon the model, turning the same profits without the need to hack anybody’s account, or steal anybody’s money. Victimless, multi-million-dollar crimes.
[Ken] So a while back, I was doing a lot of research in various dark web sites
Ken Westin, Director of Security Strategy at Cybereason, recently investigated the cyber vulnerabilities in markets.
[Ken] And I stumbled into some of these forums where I actually saw sort of Blackhat kind of hackers colluding with [what] looked like white collar criminals.
From one of these forums, user Wall Street Rogue — claiming to be a professional trader — replies to a post titled “Insider Trading.” Writing to the hackers on the forum he says, quote:
“Maybe I’m coming a bit late to the post… Anyway, I work inside a major Wall St company that does millions of trades a day. I have access to DMS, high clearance and access to all North America, Europe (Italy, France, Denmark) and Brazil. (I won’t disclose anything else).
If you have good info, I offer 50/50 and I can give you hard cash or BTC, no paper trail.
Only relevant information please.”
[Ken] [What] they are trying to do is establish trust, trying to find legitimate sources of information, and then they’ll offer you, again, a percentage of whatever that they’re able to get from it.
This dark web forum for insider trading, called “The Stock Insiders,” is run by a whole team. Their site has detailed rules and a motto: “Welcome to the Dark Side of Wall Street.”
[Ken] in order to get access to the forum, you have to provide some information for them that’s valid, and then they’ll give you access, and then they’ll allow you to collaborate and work with them.
That’s where Ken’s investigation stopped.
[Ken] I didn’t do that, because I am not going to commit a crime to get access to a forum.
Was this forum really legit? If so, how are hackers obtaining insider information? And who are the finance professionals they’re collaborating with?
[Nate] How did police first become attuned to what would later be called, the Dubovoy Group? Is that how you say it?
[Ken] Yeah, actually, there was, this was a group of people that were heavily involved.
Vadym Iermolovych, Ivan Turchynov, Oleksandr Ieremenko — a bunch of Ukrainian hackers — and their ringleader — Artem Radchenko. If you’re picturing big, burly Eastern European men, don’t — we’re talking about teenagers here.
[Ken] And what they did was around in the– they, around 2010 or so, they actually were able to start doing this. They did this from between 2010 and 2014, where the first they targeted a PR firm, Marketwire.
Marketwire, a company that distributes press releases on behalf of major corporations.
[Ken] They were able to get in using SQL injection, they had reverse shells.
Using reverse shells — allowing for remote access and code execution on the target machines — the hackers mined employee authentication information and escalated their privileges. Soon, they were downloading thousands of press releases not yet published to the public.
[Ken] And so there wasn’t a lot of ways that these organizations could detect it.
The scheme was so cunning that Ieremenko decided to take it one step further.
[Ken] He got greedy. He started looking for other places that they could get some of this insider information, and that’s when he decided, “Hey, why not go directly to the source?”
The source: the “EDGAR” system, short for “Electronic Data Gathering, Analysis, and Retrieval,” operated by none other than the United States Securities and Exchange Commission, the very organization tasked with catching financial fraudsters like him. EDGAR is a web portal where companies upload their legally obligated SEC filings.
[Ken] So yeah, that was, that’s just amazing to me. He was very brazen.
These teenagers now had access to some of the most valuable information in the world, before anybody else could see it.
[Ken] The hackers were then able to basically dump hundreds of press releases onto a separate server. And then they advertise this on these forums.
Access to the stolen data was billed at thousands and thousands of dollars, paid in cryptocurrencies.
Of course, for you and me, it’s hard to imagine what to do with thousands of press releases — why they would be worth so much money. But the hackers understood that they were worth that and much, much more to a certain kind of buyer.
[Ken] And that’s where some of these white collar criminals ended up getting involved.
Generally speaking, when big companies have big news to share — good or bad — they take time to prepare their message. That means that, for a short period of time, only select employees of those companies, and the PR firms that handle their press releases, know sensitive information that may well rock the company’s share price.
In their dark web postings, the hackers included videos demonstrating how quickly they could steal corporate data — almost as soon as it was written, through compromised PR firms — leaving time for traders to act before the news eventually made it to the airwaves.
The hackers knew how to breach corporate networks without being detected. The traders knew how to steal money without being detected.
[Ken] They would have shell companies that would be doing this. They would create a bunch of these different shell accounts, and they were doing smaller transactions so that they would be under the radar of the SEC, and they wouldn’t raise any of these red flags, and they didn’t.
Eventually, instead of paying fees for the data, the traders helped the hackers share in the spoils.
[Ken] the white collar guys were making the trades, and then they would share the money that they made from selling that stock. They would share the profits with the hackers.
Traders used the stolen data to learn about things like earnings reports and mergers and acquisitions, from companies like Ford, Northrop Grumman, Boeing, Smith & Wesson and Bank of America, then profit off of it at the expense of everybody else.
How much profit? Consider one case cited in a Justice Department press release, quote:
In one instance, a test filing for “Public Company 1” was uploaded to the EDGAR servers at 3:32 p.m. (EDT) on May 19, 2016. Six minutes later, the defendants stole the test filing and uploaded a copy to the Lithuania server. Between 3:42 p.m. and 3:59 p.m., a conspirator purchased approximately $2.4 million worth of shares of Public Company 1. At 4:02 p.m., Public Company 1 released its second quarter earnings report and announced that it expected to deliver record earnings in 2016. Over the next day, the conspirator sold all the acquired shares in Public Company 1 for a profit of more than $270,000.
End quote. This was not a one-off example. In 2013, Align Technology — an orthodontics device manufacturer — made profits in excess of investor expectations. Just before they announced it, however, traders with access to stolen internal documents bought more than 8 million dollars worth of shares in the company. The next day, they cashed out for a cool 1.4 million dollar profit. In another instance, traders made half a million dollars in the span of half an hour.
In other words: some of these press releases weren’t just worth thousands of dollars, they were worth tens, hundreds of thousands or more.
[Ken] And they probably wouldn’t have gotten caught, except for this one hacker that had his laptop compromised.
Ieremenko, emboldened by his wildly successful breaches of the U.S. financial system, expanded into new business ventures.
[Ken] It was basic stuff. Yeah, like credit card markets, like taking stolen credit cards and selling them online. [. . .] The Ukrainian police went in and they arrested him for the stolen credit cards, and they confiscated his computer. [. . .] And when they got into the laptop, you know, they were looking for stolen credit card information. But then they found videos, and they found other things around the server where they were having these, the stolen press releases and things like that.
So it was because of the stolen credit cards that they were able to get the additional evidence. And then they collaborated with the Ukrainian police with the SEC and the FBI to conduct a larger investigation around the stock trades.
In the end, the Justice Department charged over 30 individuals complicit with the Dubovoy Group. By that time, according to some estimates, they’d made off with over 30 million dollars in profits. According to a press release from the SEC, it was actually over 100 million.
Not all of the dozens of members of the Dubovoy group were the kind of people you might expect. One, for example, was a middle-aged man living in the wealthy suburbs of Pennsylvania, Vitaly Korchevsky.
[Ken] He was the former VP of Morgan Stanley.
Far from being a distant benefactor of the group, he was a core member.
[Ken] He sort of was the one that was sort of leading on the finance side. He even created trading accounts for some of these hackers, and gave them access to it, so they could, they can take some of that money.
Korchevsky was arrested on August 10th, 2015, in his mansion.
[Ken] Vitaly Korchevsky is a really interesting guy. You know, he wasn’t working at Morgan Stanley anymore, but he was now a minister of a church. And there was even like these, you know, these things like “Pray for Vitaly,” and all this stuff, like the community really supported him.
[. . .]
He ended up being found guilty, and he has to return like $14 million ill-gotten funds, and he’s facing at least between five to 20 years in prison. And I think he’s still fighting this particular case, I think they’ve brought it back up again, and they’re trying to say that the evidence against him wasn’t valid, and things like that. So it’s still an ongoing case.
Were this story merely about cybercriminals, it’d be one thing. But as noted by The Washington Post, the hackers collaborated with not only Korchevsky, but other brokers registered with the SEC. Genuine finance industry professionals.
[Ken] I think there’s a lot more of this that’s actually happening, where these hackers and white collar criminals are colluding and working very closely together. A lot of them, they’re very smart, so they know how to avoid being detected. So I think this is a lot more of this has actually happened and I think there’s even more money that’s been made.
It reminds me of a famous line from Margin Call — a 2011 film following a fictional Lehman Brothers in the leadup to the Financial Crisis. At a crucial turning point in the story, John Tuld — the composed, ruthless CEO — states a truism about the finance industry:
“There are three ways to make a living in this business,” he says. “Be first, be smarter, or cheat.”
Heck, why not all three?