Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

1/16/2019
09:35 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now
50%
50%

Justice Department Indicts 2 Ukrainian Nationals With Hacking SEC

The Justice Department has charged two Ukrainian nationals with hacking into the SEC's EDGAR systems and accessing sensitive company reports and other data before the information was made public.

The US Justice Department has indicted two Ukrainian nationals with attacking the computer networks of the Securities and Exchange Commission (SEC) and accessing thousands of sensitive company documents, and then selling that data to others or trading on this insider information.

The two men, Artem Radchenko, 27, and Oleksandr Ieremenko, 26, who both live in Kiev, face a slew of charges stemming from the 16-count indictment, including securities fraud conspiracy, wire fraud conspiracy, computer fraud conspiracy, wire fraud and computer fraud, according to the Justice Department. The two remain at large.

Together, the two used a series of cyberattacks to target the SEC's Electronic Data Gathering, Analysis and Retrieval system, which is also known as EDGAR. This database contains thousands of sensitive corporate documents, including quarterly and annual earnings reports, as well as other data such as disclosures for companies considering an initial public offering (IPO).

(Source: SEC)
(Source: SEC)

Specifically, between February 2016 to March 2017, Radchenko and Ieremenko, as well as other individuals not named in the indictment, targeted what is called test filings within the EDGAR system. These tests allow companies to preview what disclosures will be released, but they also contain much of the same information that is found in the public version of the documents.

It's these test filings documents that were stolen. That data was then sold to others or used to conduct stock trades using financial information that was not available to the general public.

To gain access to the SEC and EDGAR, Radchenko and Ieremenko used a number of different techniques and cyberattacks to penetrate the IT systems, including phishing attacks, malware planted on servers and directory traversal attacks, which involve accessing the restricted directories of a web server's root directory and then executing commands within the server. This then allows the attacker to access restricted files, where sensitive data is stored.

Once the information was stolen, the data was used to make a series of stock trades based on the test documents. For example, on May 19, 2016, a publicly traded company uploaded information to the EDGAR database at 3:32 p.m. Eastern time. About six minutes later, that report was stolen and uploaded to a server in Lithuania. In a few minutes, about $2.4 million shares of the company were bought and the company then announced record earnings the same day at 4:02 p.m.

The next day, the stock purchased with stolen data was sold for a profit of more than $270,000, according to the Justice Department.

"The defendants charged in the indictment announced today engaged in a sophisticated hacking and insider trading scheme to cheat the securities markets and the investing public," Craig Carpenito, the US Attorney for New Jersey, wrote in a January 15 statement.

In 2017, Ieremenko was previously indicted, along with several others, with stealing press releases and other statements that contained confidential and non-public financial information from the servers of newswire companies. Again, the people involved profited from buying and selling stock based on these details.

Of the new charges filed against Radchenko and Ieremenko this week, the most serious are the wire fraud conspiracy and substantive wire fraud counts, which carry a maximum penalty of 20 years in federal prison and a $250,000 maximum fine.

Related posts:

— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32243
PUBLISHED: 2021-06-16
FOGProject v1.5.9 is affected by a File Upload RCE (Authenticated).
CVE-2021-32244
PUBLISHED: 2021-06-16
Cross Site Scripting (XSS) in Moodle 3.10.3 allows remote attackers to execute arbitrary web script or HTML via the "Description" field.
CVE-2021-32245
PUBLISHED: 2021-06-16
In PageKit v1.0.18, a user can upload SVG files in the file upload portion of the CMS. These SVG files can contain malicious scripts. This file will be uploaded to the system and it will not be stripped or filtered. The user can create a link on the website pointing to "/storage/exp.svg" t...
CVE-2021-34201
PUBLISHED: 2021-06-16
D-Link DIR-2640-US 1.01B04 is vulnerable to Buffer Overflow. There are multiple out-of-bounds vulnerabilities in some processes of D-Link AC2600(DIR-2640). Local ordinary users can overwrite the global variables in the .bss section, causing the process crashes or changes.
CVE-2021-34203
PUBLISHED: 2021-06-16
D-Link DIR-2640-US 1.01B04 is vulnerable to Incorrect Access Control. Router ac2600 (dir-2640-us), when setting PPPoE, will start quagga process in the way of whole network monitoring, and this function uses the original default password and port. An attacker can easily use telnet to log in, modify ...