No one ever wants to read press releases, not even journalists, and especially not when the documents are dense corporate financial updates trying to make things sound rosy to investors no matter what. You can imagine, though, that these perfunctory releases might take on a whole other significance and value to someone interested in, say, insider trading.
A series of both criminal and civil cases have been going on for months now to expose and potentially punish hackers and traders who used unpublished press releases to inform their trading and make big money. Between 2010 and 2015 a group of Ukrainian hackers infiltrated three newswire services---industry mainstays Business Wire, Marketwired and PR Newswire---and shared thousands of embargoed corporate news releases over time with a group of traders. And last week, one day trader, Leonid Momotok, 48, of Suwanee, Georgia joined four other defendants in pleading guilty to conspiracy and fraud charges related to using the hacked information. Momotok will face up to 20 years in prison for conspiracy to commit wire fraud.
Hacking press release databases doesn't sound like a very glamorous scheme, but it speaks to a larger problem: as criminals exhaust low hanging fruit, they begin thinking more creatively about how seemingly banal systems and infrastructure, like a company interacting with a press release service, can potentially yield valuable data. In cybersecurity an important concept of defense is the idea of reducing a system's "attack surface." The more third parties, contractors, consultants, etc. an institution (or individual) interfaces with, the bigger the attack surface for potentially accessing sensitive data.
Robert Capers, US Attorney for the Eastern District of New York, said in a statement about Tuesday's guilty plea that, "Momotok and his group of traders engaged in a brazen scheme that was unprecedented in its scope, impact and sophistication.”
According to the charges filed, Momotok and his codefendants allegedly helped traders set up accounts to access foreign servers where the hackers shared the stolen, unpublished financial data. Meanwhile, the traders allegedly kept a sort of wish list for the hackers so they would know which press releases to pull as they came along. Since companies usually only provide newswires with embargoed press releases a few hours before the news goes live, after the hackers apparently posted new releases to the servers, the traders would have a very limited time to digest the information and decide how to act on it. The stolen press releases, about 150,000 of them in all, were for all sorts of companies including, Hewlett Packard, Home Depot, and Panera Bread Co.
The SEC contends that the Ukrainian hackers infiltrated the three newswires' networks using a variety of attacks, such as using employee usernames and passwords to gain access to networks, exploiting system vulnerabilities to create backdoors, planting malware that would eliminate indications of the intrusion. In some cases they successfully masked the origins of the attacks.
The impacts of the hacks are sprawling. First, there's the criminal case that Momotok is part of, SEC v. Dubovoy, et al., which involves nine other defendants who together face charges of profiting roughly $30 million in illicit trading, according to the FBI and the US Attorney’s Office for the Eastern District of New York. But there's also a civil case, brought by the US Securities and Exchange Commission. Since August of last year when the case was begun, the Commission has compiled 43 defendants and estimates they raked in over $100 million in illegal profit. So far, the SEC has recovered more than $52 million in settlements with Russian, French, and Ukrainian defendants.
"We’ve been thinking about these issues in terms of how can people use hacked information to trade in the securities market," said Joseph Sansone, the co-chief of the SEC Division of Enforcement Market Abuse Unit. He noted that the SEC has worked on similar press release hacking and insider trading cases including one from 2005 that involved at least $7.8 million in illegal profits, one in 2007 that generated $2.7 million in illegal profits, and one in 2010 that totaled almost $300,000 in illegal profits. Sansone concluded, though, that this most recent case, "really was historic" in terms of its sheer scale. Both the SEC and the US Attorneys Office of the Eastern District of New York have said that it is the largest hacking/securities fraud scheme of its kind ever discovered.
WIRED reached out to the newswire services in question and did not hear back from Business Wire or PR Newswire. Marketwired, now known as Nasdaq, declined to comment.
Though the case seems somewhat niche, it is an important reminder of the whole "you're only as strong as your weakest link" concept. A bank, for example, can pour money into defending its networks and preemptively discovering its own vulnerabilities, but if it sends financial information to a wire service or any other third party that doesn't take the same precautions, that data will be vulnerable. For individuals, of course, this doesn't mean protecting ourselves is hopeless, but it does raise analogous questions about the digital services we choose to trust. Companies with a bad security track record may not deserve your data.
