FireEye reported uncovering the campaign in its Hacking the street? FIN4 likely playing the market threat report, confirming that the hackers have already targeted at least 100 companies.
“FireEye is currently tracking a group that targets the email accounts of individuals
privy to the most confidential information of more than 100 companies,” read the report.
“The FIN4 [hacking group] distinctly focuses on compromising the accounts of individuals who possess non-public information about merger and acquisition deals and major market-moving announcements.”
FireEye said that the campaign has been active since at least the middle of 2013, and primarily targets C-level executives, legal counsel, regulatory bodies, risk and compliance personnel, researchers, scientists and “people in other advisory roles”.
“FIN4 sends spear phishing emails to selected targets with weaponised documents,” FireEye threat intelligence manager Jen Weedon told V3.
“Based on what we’ve observed of FIN4’s activity, the group selects its targets based on their roles and probable access to sensitive, material, non-public information.
“The document, when opened, will result in a prompt for the target’s username and password, which are then transmitted to servers controlled by FIN4.”
Weedon explained that the campaign is mainly US focused and targets specific industries.
“We have observed some international organisations being targeted. However, the overwhelming majority of targets have been in the US,” Weedon said.
“The primary industry hit has been healthcare and pharmaceuticals, and 68 percent of the 100-plus companies targeted are in that industry.
“Twenty percent are firms that advise public companies on securities, legal and M&A matters, and 12 percent are other publicly traded companies in various industries.”
Weedon added that FIN4 uses a basic infection method, but that it is hard to detect and firms should employ a variety of protective measures.
“The relative simplicity of FIN4’s tactics (spear phishing, theft of valid credentials, lack of any malware installed on victim machines) makes their intrusion activity difficult to detect. However a few basic security measures can help thwart the group’s efforts,” Weedon said.
“Disabling Visual Basic for Applications macros in Microsoft Office by default, as well as blocking the domains listed in our report, will help protect against FIN4’s current activities.
“Additionally, enabling two-factor authentication for Open Web Access and any other remote access mechanisms can help prevent credentials stolen in this manner from being leveraged successfully.”
Data theft is an ongoing problem facing businesses of all sizes. Hackers operating under the #GOP moniker reportedly stole intellectual property from Sony in November. The FBI reported on 1 December that it had found evidence that the #GOP hackers may be North Korean.