Exclusive: SEC hunts hackers who stole corporate emails to trade stocks

By Sarah N. Lynch and Joseph Menn WASHINGTON/SAN FRANCISCO (Reuters) - U.S. securities regulators are investigating a group of hackers suspected of breaking into corporate email accounts to steal information to trade on, such as confidential details about mergers, according to people familiar with the matter. The Securities and Exchange Commission has asked at least eight listed companies to provide details of their data breaches, one of the people said. The unusual move by the agency reflects increasing concerns about cyber attacks on U.S. companies and government agencies. It is an "absolute first" for the SEC to approach companies about possible breaches in connection with an insider trading probe, said John Reed Stark, a former head of Internet enforcement at the SEC. "The SEC is interested because failures in cybersecurity have prompted a dangerous, new method of unlawful insider trading," said Stark, now a private cybersecurity consultant. According to people familiar with the matter, the SEC's inquiry and a parallel probe by the U.S. Secret Service - which investigates cyber crimes and financial fraud - were spurred by a December report by security company FireEye Inc about a sophisticated hacking group that it dubbed "FIN4." Since mid-2013, FIN4 has tried to hack into email accounts at more than 100 companies, looking for confidential information on mergers and other market-moving events. The targets include more than 60 listed companies in biotechnology and other healthcare-related fields, such as medical instruments, hospital equipment and drugs, according to the FireEye report. The SEC declined to comment. A Secret Service spokesman said the agency does not comment on pending investigations. FIN4 TACTICS The SEC has asked companies for data on cyber intrusions or attempted intrusions, as well as information on the tactics that the unknown hackers used to lure employees into giving up email passwords, known as "spear phishing" or "credential harvesting," people familiar with the investigation said. Stark said he saw some of the SEC's requests for documents from companies, but he was not familiar with the scope of the investigation. He and other sources declined to name the targeted companies because of client relationships and because the SEC investigation is confidential. It could not be learned if the SEC is only looking into the FIN4 group or if its probe is broader. Milpitas, California-based FireEye said it believed the FIN4 hackers could be from the United States or Europe because they had flawless English and a deep understanding of how the financial markets and investment banking work. The hackers targeted healthcare and pharmaceutical companies because their stocks tend to be volatile, and thus potentially more profitable. In one case, the hackers had sought information about Medicaid rebates and government purchasing decisions, FireEye said. FireEye's clients were among the companies targeted by the hackers, who used fake Microsoft Outlook login pages to trick attorneys, executives and consultants into surrendering their user names and passwords. "What was insidiously brilliant was that they could inject themselves into email threads and keep gleaning information," said FireEye's manager of threat intelligence, Laura Galante. "They really knew their audience." In at least one case, FireEye said, the hackers used a confidential document, containing significant information that they had already procured, to entice people discussing that matter into giving their email credentials. FireEye said it had briefed the FBI about its findings. CIVIL CASE As concerns about cybersecurity grew, the SEC in 2011 issued guidance for public companies on disclosing breaches. Companies are not required to disclose any breaches unless they are deemed to be "material" under federal securities laws. The probe is unusual for the SEC, which has typically searched for questionable trading activity in stocks and options when investigating insider trading cases, said Stark. The SEC only has the power to bring civil cases, so any possible criminal cases resulting from the probe would be brought by a federal prosecutor. Until now, the SEC has only brought a handful of civil cases against hackers. In 2007, the agency filed civil charges against a Ukrainian trader named Oleksandr Dorozhko whom they accused of hacking into IMS Health and stealing information on earnings that he used to make profitable options trades. In 2010, a federal court ordered Dorozhko to pay $580,000. (Reporting by Sarah N. Lynch in Washington and Joseph Menn in San Francisco; Editing by Soyoung Kim and Tiffany Wu)