Cybersecurity firm BAE Systems (a large and credible industry player) announced that it had found and remediated an attack on an unnamed hedge fund back in late 2013 which placed malware on the firm’s servers which intercepted HFT trades, delayed their execution, and sent information about the trades to a third party server. BAE believes that “organized crime” was behind this attack.
If this report is accurate, it marks a new level of sophistication and business insight by attackers – rather than simply stealing random information or creating denial of service situations, these guys used knowledge of the financial industry (and at least some significant level of capital) to profit from their hack. Apparently, the attack went unnoticed for 8 weeks.
The firm’s report also mentions another attack on an insurance firm, where the attackers created bogus insurance policies in the firm’s underwriting systems and then file claims against them.
This is a new attack trend that I have been expecting to see for some time – now that attackers have gotten really comfortable and successful with the technical side of hacking, the next logical step is to combine these skills and wins with business knowledge and capital to create much more sophisticated, profitable and (for victimized companies) potentially devastating attacks. The financial services industry needs to take this incident seriously and adjust its view of the motives and sophistication of attackers. While we have all talked about the theoretical possibility of hacks like this one, it has always seemed to be one of those “just over the horizon” threats. Well, this new bit of news should firmly place these blended cyber/business/capital attackers and attacks on our radar.
While we don’t know exactly how the attackers gained access to the servers in question, I would be pretty surprised if a workstation malware compromise was not one of the first steps in the attack chain. Another reason to keep bolstering our workstation defenses – patching, EMET, browser virtualization, behavioral based malware detection, and web filtering and blocking. And another reason to have a conversation with your employees about just how perilous the landscape is becoming.