After breaching the security of some major retailers in the US, cyber criminals have turned their attention towards stealing trade secrets. BAE Systems Appliance Intelligence reports that an unnamed US hedge fund has lost several million dollars over two-months after hackers injected malicious code into its network to steal trade secrets.
In a rare raid, the criminals delayed trades at the hedge fund while stealing its profitable secrets. The report says the identity of the hackers is still unknown. It is revealed the hackers lifted high-speed trades from the company, and sent the details to third-party servers via malware installed on the firm’s network.
Product director at BAE Paul Henninger suggested it could be an instance of corporate espionage by a smaller company. The attacks started after a staff member became a successful email phishing victim. He told CNBC:
“This was something that was getting reviewed at the board level of this hedge fund precisely because it was having a material impact on performance across the portfolio.”
The espionage assumption was given importance because hackers were able to create a lag between issuance and execution of the trade. Henninger wasn’t sure if the attack was notified to the SCE (Securities and Exchange Commission) and stated that the hedge fund may have little incentive to report.
Hedge fund attacks don’t often reach public record. Bloomberg says there have been several more hedge funds attacked:
“Over the past two years, computer networks, law firms, hedge funds and other companies in Wall Street have been infiltrated by Eat European hackers.”
None of the hedge funds have been named.
The latest hack involved hackers breaking into the trading system and using the information for their own high-speed trading. This is the same strategy hackers have used to attack insurance companies; they hack into the system, create illicit policies, and profit by filing claims against them.
For a hedge fund, it damages the reputation of the firm and undermines client trust. That is why the firm is taking a while to get comfortable with the idea of exposing the effect of the hack to a law enforcement agency. Such a breach is also capable of tarnishing investor confidence.
While the BEA is affirmative the hack was going on and steps were taken to remove the malicious code, the FBI and SEC can get involved. The authorities, however, declined to comment, and Henninger was unsure if the hedge fund will report the attack to these authorities.
Security firms have lined up with their verdicts on the attack. Ontario-based cyber security firm eSentire said that it has seen phishing attacks at hedge funds double from February 2013 to January 2014.
The latest hit took $1.5 million from a hedge fund in two minutes, with three wire transfers, eSentire told Bloomberg. Spear phishing attacks are being directed at top hedge funds, and the hackers are using every public resources, social media, to figure out who to target next.
Hedge funds are smaller firms operating big businesses. The size of these organizations may not have several security personnel on staff. The SEC reported to Congress that there were 6,683 hedge funds operating more than $4 trillion in assets.
Despite the size of transactions, many hedge funds with a few billion in transactions haven’t boosted cyber security since they were small start-ups. Most of them want to fix things and move on even when a hack is detected. Because of that, it’s a lot harder for law enforcement agencies to investigate.
But that is changing, and with the hacking news against hedge funds becoming prominent, regulators would want to take a closer look.