Over the past year, I've been presenting research at security conferences regarding the increasingly cozy relationship between black hat hackers and white collar criminals. One of the cases I researched was a group of hackers targeting PR firms for non-public insider information that could be monetized by trading stock based on the results of a company’s earnings and other factors. This past week it was revealed that this same group of criminal hackers and traders had become much more brazen and were also involved in the hacking of SEC’s EDGAR system targeting similar information.
Evolution of Criminal Hacking to Big Business
Prior to joining Splunk, I was involved in a number of criminal investigations as a result of developing various tools and techniques to track criminals online. One of the most critical aspects of crime in general is to understand intent; from there, we can better understand what they're targeting and then gain a better understanding of how they do it.
The primary motive of criminal hackers is the monetization of data—data that can be sold or used directly to make a profit. As tools and techniques are developed to thwart criminal hacking, it doesn’t cease, but simply evolves. Several years ago retail was targeted due to the value of stolen credit cards on the black market, but as credit card fraud protections became more prevalent, it reduced the value of stolen credit card numbers in underground markets. Criminal hackers simply adapted, realizing that data is often more valuable to the targeted entity itself than trying to sell it through intermediaries; from there, ransomware was born.
Evolution of Cybercrime
As criminal hacking has evolved, new tools have arose providing better anonymity through the use of Tor and hidden services, along with cryptocurrency such as Bitcoin which has helped facilitate a growing underground economy for stolen data, tools and services. While researching underground markets that were selling stolen credit cards and other illicit goods and services, I stumbled on a forum which was focused on the buying and selling of “insider information,” or non-public information from companies which could be valuable to stock traders such as earnings reports, merger and acquisitions, FDA approvals, patent data and other information. The forum was looking for information from insiders themselves or from criminal hackers who may have stumbled upon this type of data.
Black Hats & White Collars
Through further research I found a number of hidden services and forums that were setup to trade on non-public insider information, offering payment through cryptocurrencies or a share in the trade earnings. I also found several interesting cases where organizations were targeted specifically for this type of data. One group in particular was led by hackers Ivan Turchynov and Oleksandr Ieremenko targeting PR firms specifically, where at least three major newswires were targeted and compromised. They then setup a hidden service and started advertising the press releases on various underground forums; this is where contact with their traders was initially made.
Initially, access to the data was provided for a fee. However, over time the traders set up accounts for the hackers so they could make more money from their exploits. The scheme was implemented over the course of several years and would have gone undetected had the hackers not become greedy and more brazen and branched into other areas of cybercrime, including the theft of stolen credit cards.
The interesting aspect of this investigation was the correlation of log sources across multiple organizations that ended up telling the large story of the criminal enterprise—the authentication logs, web application logs from the PR newswire companies, brokers and the hackers laptops themselves. Business records and trading history of the traders, their connections to hidden services, communication with hackers and other non-traditional data sources played a key role as well.
Often the logs you collect may not be for your own investigation, but will play a critical role for law enforcement conducting a larger investigation. A friend of mine who conducts cyber security investigations at the FBI tells me the first thing he asks a company when they arrive is “show me the logs.” Pretty much every crime today has a “cyber” component, whether it's data on phones, social media, laptops, IoT devices, security cameras, etc. Machine data or logs help tell a story for the data savvy investigator, but we need to ensure we're collecting the right data, and it usually means collecting more than just data from the firewall.
After targeting PR firms, the SEC has stated that Oleksandr Ieremenko became more brazen and directed his efforts towards targeting the SEC’s EDGAR database which housed a wealth of insider data. Using similar techniques that were successful targeting PR firms with phishing emails and malware laden attachments, Ieremenko was successful gaining access to data being posted by companies to the EDGAR database.
If you're interested in learning more about this case, I recently presented “Black Hats & White Collars: Bitcoin, Dark Nets and Insider Trading” at BSides Edmonton and BSides Vancouver this past year, which you can watch in the video below.
I'll be presenting an updated version of this presentation at BSides Salt Lake City on February 22nd, covering more specifics into the SEC EDGAR database compromise. I'll also be leading a hands-on Insider Threat workshop at BSides Vancouver in March, so keep an eye out for registration.