At a Kiev nightclub in the spring of 2012, 24-year-old Ivan Turchynov made a fateful drunken boast to some fellow hackers. For years, Turchynov said, he’d been hacking unpublished press releases from business newswires and selling them, via Moscow-based middlemen, to stock traders for a cut of the sizable profits.Oleksandr Ieremenko, one of the hackers at the club that night, had worked with Turchynov before and decided he wanted in on the scam. With his friend Vadym Iermolovych, he hacked Business Wire, stole Turchynov’s inside access to the site, and pushed the main Moscovite ringleader, known by the screen name eggPLC, to bring them in on the scheme. The hostile takeover meant Turchynov was forced to split his business. Now, there were three hackers in on the game.Newswires like Business Wire are clearinghouses for corporate information, holding press releases, regulatory announcements, and other market-moving information under strict embargo before sending it out to the world. Over a period of at least five years, three US newswires were hacked using a variety of methods from SQL injections and phishing emails to data-stealing malware and illicitly acquired login credentials. Traders who were active on US stock exchanges drew up shopping lists of company press releases and told the hackers when to expect them to hit the newswires. The hackers would then upload the stolen press releases to foreign servers for the traders to access in exchange for 40 percent of their profits, paid to various offshore bank accounts. Through interviews with sources involved with both the scheme and the investigation, chat logs, and court documents, The Verge has traced the evolution of what law enforcement would later call one of the largest securities fraud cases in US history.The case exemplifies the way insider trading has been quietly revolutionized by the internet. Traders no longer need someone inside a company to obtain inside information. Instead, they can turn to hackers, who can take their pick of security weaknesses: a large corporation or bank may have good in-house security, but the entities it works with — such as financial institutions, law firms, brokerages, smaller investment advisories, or, in this case, newswires — might not.As one person involved in the press release scheme pointed out, it doesn’t matter what level of security a company has, “you’ve always got the human factor: that one employee who will click on the phishing email or is happy to exchange their password for money.”“Just about every organization that compiles financial data that could be useful for traders has, at some point, been hacked,” says Scott Borg, director of the US Cyber Consequences Unit, a nonprofit research institute that does consulting for the US government. “All the bureaus of economic analysis from major countries in the world have almost certainly been hacked.”For the most part, Borg says, these hacks fly below the radar. They tend to be “sophisticated and targeted,” and companies often refrain from reporting them, whether to avoid liabilities and reputational damage or because they don’t even know what information has been stolen.In the last eight years, the US Securities and Exchange Commission has added three new teams to enhance its cybercrime detection capabilities and pushed companies to bolster their own security and quickly disclose breaches. The measures have had some success, as evidenced by a recent case involving law firms infiltrated by three Chinese hackers, but it’s a cat and mouse game. Even the SEC isn’t safe: in 2016 the commission was hit. The attack was not made public until the following year, generating accusations of hypocrisy.The international nature of trading hacks makes enforcement particularly difficult. Shortly before Turchynov was bragging about the scheme, the US Secret Service, whose mission includes protecting the country’s financial infrastructure, started taking an interest in what he was up to.From the beginning of 2012 onward, the three newswires — Business Wire, PR Newswire, and Marketwired — were endlessly patching holes and uninstalling malware in an effort to block the hackers’ access, court documents show. Askari Foy, a cybersecurity expert formerly with the SEC, explained that it would be standard practice for one of these firms to contact the FBI to launch a criminal investigation, which would give authorities access to their systems for forensic analysis.After authorities alerted PR Newswire to a potential breach, the wire hired the private cybersecurity firm Stroz Friedberg in March 2012 to investigate further. Turchynov’s malware was detected and uninstalled, according to court documents. He sent a panicked message to the Moscovites on March 27th, presumably referring internal newswire emails he had access to:When you get back here write to me right away, there are several problems. The first and largest is that PR is fucked up. They detected the module and removed all our shit there. They took away that temporary server. I haven’t gone on to the new one yet, I’m waiting. This happened on the 13th [March]. The second problem: your guys were detected. They were trading with very big money and there was a lot of fuss about them, about how it’s not the season and when it was the season they traded.But by May 30th, 2012, thanks in part to their new co-worker Ieremenko, the hackers had regained access to PR Newswire and were back in business.The US Secret Service decided to send an assistance request to Ukraine’s intelligence services, according to Ukrainian agent Oleksiy Tkachenko and US court documents. Their Ukrainian counterparts set to work following Turchynov about his daily life.According to a peer who was also contacted by the Ukrainian agents, they noticed that Turchynov socialized with a group of 10 other men in their 20s, including his colleagues Ieremenko and Iermolovych, who had abundant cash and no discernible source of income. Turchynov is said to have owned a house in Koncha-Zaspa, Kiev’s equivalent to Beverly Hills. On social media, he displayed an extravagant gold clock collection, a gun, a luxury car, and pictures of him and his friends in Kiev nightclubs....MUCH MORE
Friday, August 24, 2018
"How an international hacker network turned stolen press releases into $100 million"
From The Verge: