Naked Security Naked Security

Two charged with hacking company filings out of SEC’s EDGAR system

They're charged with phishing and inflicting malware to get into the EDGAR filing system, stealing thousands of filings, and selling access.

The Securities and Exchange Commission (SEC) on Tuesday indicted two Ukrainians for allegedly hacking its Electronic Data Gathering, Analysis and Retrieval (EDGAR) filing system and stealing corporate secrets from thousands of companies’ filings before they were made public.

The SEC also filed a civil complaint against a network of securities traders in the US, Ukraine and Russia with whom the hackers allegedly shared the hacked information and who allegedly used it to illegally profit by snapping up or selling off securities before the filings were public.

The 16-page indictment charges the alleged hackers – Artem Radchenko, 27, and Oleksandr Ieremenko, 26, both of Kiev, Ukraine – with securities fraud conspiracy, wire fraud conspiracy, computer fraud conspiracy, wire fraud, and computer fraud.

According to the US Attorney’s Office for the District of New Jersey, the two indicted men aren’t in custody. Nor are they believed to be in the US, the Washington Post reports.

According to the indictments, Radchenko, Ieremenko and others conspired to pry open the SEC’s EDGAR system, which is used by publicly traded companies to file required financial disclosures, such as annual and quarterly earnings reports. Those reports are full of information that can lead to profit for those who get their hands on them, including details about companies’ financial health, operations and earnings. Such information can and often does affect companies’ stock prices when it’s publicly disclosed.

The Feds say that the two hackers, along with conspirators, sucked information out of EDGAR from February 2016 to March 2017. They allegedly went after the test filings that EDGAR allows companies to make in advance of their public filings. Those test filings often have the same, or similar, information to the final filings. After stealing thousands of test filings, they are said to have profited from trading before the rest of us learned what was in those reports.

The conspirators got into EDGAR via what the Justice Department (DOJ) says was a series of targeted cyberattacks, including directory traversal attacks (also known as path traversal attacks), phishing, and malware. To get an idea of what a path traversal vulnerability is all about, you can take a look at how it was recently one of three minor bugs that added up to a major exploit in a family of security webcams. In essence, it enables attackers to access restricted directories and execute commands outside of the web server’s root directory.

The indictment says the defendants sent email rigged with malware to SEC employees. The phishers disguised those poisoned emails to look like they came from other SEC employees. One or more employees must have fallen for the phish and in the process infected the SEC’s computers with the malware. After the computers had been infected, the defendants allegedly used them to probe the SEC’s network, steal the test filings and copy them across to their own servers.

They allegedly began not by targeting EDGAR for confidential information but by going after newswire services’ press releases. Ieremenko was charged in 2015 in relation to the scheme, in which hackers and traders allegedly pocketed more than $100 million from illicit trades.

The indictment unsealed on Tuesday alleges that Ieremenko used some of the same methods to hack the SEC that he’d used against the newswires. For example, the same IP address was used in both schemes.

The SEC complaint portrays Ieremenko as the mastermind. In the summer of 2018, the SEC says that he bragged, via electronic communication, about hacking both the SEC and the newswires. The SEC didn’t go into details about that online conversation.

Prosecutors say that Radchenko recruited traders to the scheme and allegedly shared the stolen test filings with them. The DOJ gave one example of how the traders allegedly used the information to fatten their brokerage accounts: a test filing for “Public Company 1” was uploaded to the EDGAR servers at 3:32 p.m. on 19 May 2016. Six minutes later, the defendants allegedly stole the test filing and uploaded a copy to their Lithuanian server.

A few minutes later, one of the conspirators purchased about $2.4 million worth of shares. At 4:02 p.m., the company released its second-quarter earnings report and announced good times were ahead: it expected to deliver record earnings in 2016. The conspirator then sold the shares for a tidy profit of more than $270,000.

EDGAR: Quite the tempting target

The breach of EDGAR has raised questions about the government’s ability to protect a system so integral to the health of financial markets. Following the hack, the commission hired more cybersecurity staff, started a cybersecurity unit and launched an internal review.

SEC Chairman Jay Clayton said in a statement that the breach shows that the SEC is up against the same threats that exchange-listed companies are up against:

These threats to our marketplace are significant and ongoing and often involve threats from actors outside our borders. No system can be entirely safe from a cyber intrusion. Here at the SEC, we recognize that we must continuously use the resources available to us efficiently and effectively to bolster our cybersecurity defenses and reduce our cyber risk profile.