SEC Files Indictment Following 2016 Hack, Nonpublic Data Theft
The SEC and DOJ charged a group of hackers and illicit traders for breaking into the SEC's company filings database, stealing data, and making trades that earned the group $4.1 million.
The Securities and Exchange Commission (SEC) finally brought charges against traders who back in 2016 hacked into the EDGAR corporate filing system that supports Dow Jones this week.
Stephan Schlegelmilch and Cheryl Crumpton, attorneys for the SEC, filed a suit against the defendants early Tuesday morning in a federal court in Newark, New Jersey.
The SEC and the U.S. Attorney's Office announced the enforcement action at a joint press conference Tuesday morning, charging nine defendants, one Ukrainian hacker, six traders in California, Ukraine, and Russia, and two entities involved in the scheme.
The hacks involved the theft of material nonpublic data concerning companies that the suspects went on to use in a stock-trading scheme. The individuals used the data from EDGAR to make millions, at least $4.14 million according to the indictment, over the course of several months in 2016.
EDGAR, also known as the Electronic Data Gathering, Analysis, and Retrieval system, is an online database used by the SEC to collect, validate, index, and accept forms filed by companies with the SEC. Companies that have to use EDGAR to file documents like annual and quarterly statements, information on holdings, investors, and so on.
Oleksandr leremenko, the hacker charged in the suit, made efforts to “surreptitiously exfiltrate” data on the SEC’s servers to make it seem like he was a legitimate EDGAR user beginning in May 2016. Ieremenko tricked SEC computer users to open documents containing malware that mimicked emails sent by SEC security personnel, used multiple aliases to conceal his IP address, and sidestepped some EDGAR login pages to secure access to the service. Once in, Ieremenko, with the help of traders, exfiltrated data – 157 earnings releases from May to October 2016 - which he quickly used to monetize his scheme.
Ieremenko worked with Artem Radchenko, a second hacker from Ukraine who's not named in the SEC's complaint but is in a parallel indictment unsealed by the U.S. Attorney’s Office for the District of New Jersey on Tuesday, to recruit traders.
— NJ US Attorney (@USAO_NJ) January 15, 2019
Traders used the data - test filings that contained nonpublic data that was scheduled to be published - to execute trades in the securities of companies before the data was published.
While the intrusion occurred in 2016 it wasn't until September 2017, nine months after the fact that the public learned of it.
SEC Chairman Jay Clayton mentioned the hack in passing in a blog post that year titled "Statement on Cybersecurity" in which he blamed the incident on a software vulnerability in the test filing component of the EDGAR system. At the time Clayton said the commission didn't believe the intrusion resulted in access to "personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk" but it can be argued it permitted a mix of all three.
The announcement was delayed partly because the SEC didn't detect the attack until later itself. According to the indictment the commission patched the software in October 2016 following a detected attack on the system.
The suit doesn't say why it took so long for the SEC's IT team to notice the intrusion.
The SEC’s patch effectively blocked Iremenko's access but didn't stop the hacker from trying to hack SEC computer workstations through phished emails. Ieremenko persisted, even though none of his efforts ultimately resulted in the exfiltration of nonpublic data.
Clayton issued a statement around the indictment, thanking law enforcement and a bevy of federal agencies for assisting the SEC in pursuing the action. Among those agencies: the FBI, the U.S. Secret Service, the Office of the General Counsel, Office of Inspector General, Office of the Chief Operating Officer, and the Office of Information Technology.
"This action illustrates that the SEC faces many of the same cybersecurity threats that confront exchange-listed companies, other SEC-registered entities and market participants of all types," Clayton wrote, "These threats to our marketplace are significant and ongoing and often involve threats from actors outside our borders. No system can be entirely safe from a cyber intrusion."
The SEC, like most of Washington currently, is opening with a skeleton crew in light of the ongoing federal government shutdown. EDGAR, along with the SEC's Tips, Complaints, and Referrals (TCR) system, continue to function as usual however.
Due to the ongoing federal govt shutdown, we are currently operating in accordance with the SEC’s plan for operating during a shutdown. Effective today (12/27/18) and until further notice, we will have limited number of staff members available. More info: https://t.co/RhiOji1iyR
— SEC_News (@SEC_News) December 27, 2018
SEC image via bootbearwdc's Flickr photostream, Creative Commons