Cybersecurity company FireEye has identified a new financially motivated advanced threat group that is carrying out ongoing attacks against publicly traded companies.
The particular attack is dubbed FIN4, and is reckoned to be an attempt to “play the stock market”, says a FireEye report.
FireEye said that the group has been observed collecting information from around 100 publicly traded companies or their advisory firms, all parties who handle insider information that give a clear trading advantage to the attacker.
“Advanced threat actors conducting attacks to play the stock market to their advantage has long been a worry but never truly seen in action,” said Dan McWhorter, VP of threat intelligence, FireEye. “FIN4 is the first time we are seeing a group of very sophisticated attackers actually systematically acquire information that only has true value to a criminal when used in relation to the stock market.”
FIN4 carries out its attacks in a unique manner never seen before, said FireEye, quite unlike the advanced persistent threats originating from nation states.
The group does not utilise malware, instead relying heavily on highly-targeted social engineering tactics and deep subject-matter expertise to deliver weaponised versions of legitimate corporate files. Specifically, FireEye found that since at least mid-2013, FIN4 has made product development, M&A strategies, legal issues, and the purchasing processes of companies its target data points.
While FIN4’s unique methodology eschewing malware allows them to evade traditional detection and attribution, the FireEye report provides analysis of the social engineering and document weaponisation the group employs as identified through the company’s investigations and detections.
With a strong command of English colloquialisms, regulatory and compliance standards, and industry knowledge, FireEye researchers have said it is their belief that FIN4 is US-based or, possibly, Western European.
FireEye said its researchers had also found that while FIN4 has highly advanced techniques for breaking into an organisation, it had security practices on the data transmitted. Stolen log-in credentials were shown to be transferred to FIN4 servers in plain text while the operators themselves use TOR to mask their locations and identities.
The full report is available here.
TechCentral Reporters
Subscribers 0
Fans 0
Followers 0
Followers