Report: FIN4 Hacker Group Targets Pharma Execs For Insider Edge On Stock Market

A group of financially savvy computer hackers has been stealing data from more than 100 organizations, mainly targeting publicly traded health care, pharmaceutical and biotechnology companies, to gain insider knowledge and game the stock market. The news underscores the vulnerabilities of corporate computer networks and the many ways that cybercriminals use low-tech “social engineering” to further their aims.

The cybercriminal group known as FIN4 “compromises the email accounts of individuals who regularly communicate about market-moving, nonpublic matters,” according to the “Hacking the Street” report from U.S. security firm FireEye, released Monday. The hackers are believed to be native English speakers based in North America or Western Europe.

FIN4 uses Wall Street language to convince industry professionals that its communications are legitimate. The report also reveals a particular interest by cybercriminals in the pharmaceutical industry, where insider information on events such as mergers, acquisitions and the progress of drug trials can move a company’s stock price.

FireEye doesn’t know how much money FIN4 has made by stealing insider secrets, but the firm says the cyberattacks have been taking place since at least the middle of 2013, when it first began tracking the group. The hackers appear to be well-versed in Wall Street slang and command English like native speakers.

“FIN4 focuses on acquiring information about ongoing M&A [merger and acquisitions],” the report stated. “The group frequently employs M&A-themed lures with Visual Basic for Applications (VBA) macros implemented to steal the usernames and passwords of these key individuals.”

VBA is Microsoft-based programming built into most Microsoft Office applications. Macros are a set of instructions that can be created by users to automate frequently used computer commands. VBA macros pose a security risk, and experts recommend users disable macros if they receive documents from unverified sources. FIN4 hackers are also sending links to fake Microsoft Outlook Web App login pages to capture users' credentials.

Hackers can also set up rules using macros to automatically delete emails that contain words such as “hacked” and “malware” to prevent the email owners from receiving communication that their accounts have been compromised. The hacker’s code reveals a particular interest in the emails of chief executives, chief financial officers and chief operating officers at drug companies or their advisory firms.

FIN4 has targeted senior executives because they “have enough juicy information in their inbox,” Jen Weedon, a FireEye threat intelligence manager, told the New York Times. This differs from more notorious cyberattacks from hackers in Russia and China in which hackers attempt to infiltrate networks using more easily discovered malware attacks.

FIN4 instead appears to be quietly viewing the email messages of corporate executives and managers of financial advisory firms who might have information that outsiders can use to commit insider trading. FireEye didn’t name the targeted companies but said most of them are listed on the New York Stock Exchange.