On Tuesday (Jan. 15) federal prosecutors, in cooperation with the Securities and Exchange Commission (SEC), unveiled charges against hackers and their accomplices for an illegal insider trading scheme. The scheme reportedly netted over $4 million for fraudsters collaborating from the U.S., Russia, and Ukraine.
SEC’s EDGAR System Compromised
Essentially, these hackers discovered a new type of insider trading by hacking into the SEC’s EDGAR system. EDGAR, which stands for the Electronic Data Gathering, Analysis, and Retrieval system, performs automated collection, validation, indexing, and forwarding of submissions by companies and others who are required by law to file forms with the SEC. All companies, foreign and domestic, are required to file and upload registration statements, periodic reports, and other various forms electronically through EDGAR.
Like nearly all software programs, EDGAR has vulnerabilities. Hackers were able to expose a vulnerability that allowed them to bypass a gateway that required users to submit login credentials. Once past that checkpoint, hackers were able to pilfer through an abundance of documents not available to the public.
Phishing emails were also used as the hackers posed as SEC security personal, tricking SEC employees into opening infected emails. Once opened, the messages infected computers with malware and let hackers probe further into the agency’s network and steal even more information.
How Hackers Made $4.1 Million Through EDGAR
The scheme, which involves seven individuals from the U.S., Russia, and Ukraine, is believed to have occurred between October 2016 and May 2018. In order to break into the government vault containing the financial secrets of America’s largest corporations, hackers posed as a company. By posing as a company, along with a wide array of other tactics, hackers spent months rooting around EDGAR looking for information to trade on including unpublished earning results.
Using the exfiltrated data, hackers worked with traders who set up legitimate accounts and made legitimate trades – even losing money to the tune of nearly $39,000. However, the traders were able to make $4.1 million using unpublished earning results of 157 companies.
The SEC’s Cybersecurity
The SEC first revealed the hack in September 2017, which was an embarrassment to the agency, which itself has punished companies over how they handle hackers of their systems.
“Publicly traded companies know that, if they were hacked, litigation would be flying and the SEC would be investigating,” said Joseph Grundfest, a law and business professor at Stanford University who was previously an SEC commissioner. “But when the SEC is hacked, nothing bad happens, and all the fingers instead point to the hackers.”
However, according to John Reed Stark, a cybersecurity consultant, and former SEC enforcement attorney, the agency has “recently” shifted away from blaming many breaches on affected firms. Instead, the SEC is emphasizing the importance of defense mechanisms and employee training.
“They (the SEC) are a little more sympathetic to entities they examine. They’re not looking for perfection, they’re looking for good governance,” said Reed Stark.
SEC chairman Jay Clayton also commented on cybersecurity in a statement on the hack.
“Cybersecurity is critical to the operations of our markets, and the risks are significant and, in many cases, systematic,” Clayton said. “We also must recognize – in both the public and private sections, including the SEC – that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”
A data breach or hack is all but guaranteed to occur within a major financial institution governed by the SEC in 2019. It will be interesting to see whether or not the SEC is truly forgiving after getting a taste of public embarrassment via cybercriminals themselves.