Hackers With Apparent Investment Banking Background Target Biotech

SAN FRANCISCO — For more than a year, a group of cybercriminals has been pilfering email correspondence from more than 100 organizations — the vast majority publicly traded health care or pharmaceutical companies — in apparent pursuit of information significant enough to affect global financial markets.

The group's activities, detailed in a report released Monday morning by FireEye, the Silicon Valley security company, shed light on a new breed of criminals intent on using their hacking skills to gain a market edge in the pharmaceutical industry, where news of clinical trials, regulatory decisions or safety or legal issues can affect a company's stock price.

Read MoreBoom in hacks mean big biz ... for some

Starting in mid-2013, FireEye began responding to intrusions at publicly traded companies — two-thirds of them, it said, in the health care and pharmaceutical sector — as well as advisory firms, such as investment banking offices or companies that provide legal or compliance services.

Smeel Photography | E+ | Getty Images

The attackers, whom FireEye named "Fin4" because of their focus on the financial sector, appear to be native English speakers, based in North America or Western Europe, who are well-versed in the Wall Street vernacular. Their email lures are precisely tailored toward each victim, written in flawless English and carefully worded to sound as if they were sent by someone with an extensive background in investment banking and with knowledge of the terms those in the industry employ.

More from The New York Times:
Boehner Faces the First Days of New Power in Congress
Indictment Opens New Era in Coal Country
Court to Weigh Job Protections for Pregnant Women

Different groups of victims — frequently including top-level executives; legal counsel; regulatory, risk and compliance officers; researchers; and scientists — are sent different emails. Some senior executives have been duped into clicking on links sent from the accounts of longtime clients, in which the supposed client reveals that they found an employee's negative comments about the executive in an investment forum.

In other cases, attackers have used confidential company documents, which they had previously stolen, as aids in their deception. In some incidents, the attackers have simply embedded generic investment reports in their emails.

In each case, the links or attachments redirect their victim to a fake email login page, designed to steal the victim's credentials, so that the attacker can log into and read the contents of their emails.

Read MoreWebcam hackers may be watching you

The Fin4 attackers maintain a light footprint. Unlike other well-documented attacks originating in China or Russia, the attackers do not use malware to crawl further and further into an organization's computer servers and infrastructure. They simply read a person's emails, and set rules for the infiltrated inboxes to automatically delete any email that contains words such as "hacked," "phished," or "malware," to increase the time before their victims learn their accounts have been compromised.

"Given the types of people they are targeting, they don't need to go into the environment; the senior roles they target have enough juicy information in their inbox," said Jen Weedon, a FireEye threat intelligence manager. "They are after information protected by attorney-client privilege, safety reports, internal documents about investigations and audits."

Because the attackers do not deploy malware, and communicate in correct English, they can be tricky to track. Ms. Weedon said FireEye first began responding to Fin4 attacks in mid-2013 but did not put together its findings until five months ago, when a few of its analysts concluded the attacks did not appear to be the work of familiar attackers in Russia or China, and warranted further investigation.

FireEye would not name the victims, citing nondisclosure agreements with its clients, but said that all but three of the affected organizations are publicly listed on the New York Stock Exchange or Nasdaq, while the others are listed on exchanges outside the United States.

Half of these companies fall into the biotechnology sector; 13 percent sell medical devices; 12 percent sell medical instruments and equipment; 10 percent manufacture drugs; and a small minority of targets include medical diagnostics and research organizations, health care providers and organizations that offer health care planning services.

FireEye said it had notified the victims, as well as the Federal Bureau of Investigation, but did not know whether other organizations like the Securities and Exchange Commission were investigating.

Representatives of the F.B.I. declined to comment. Representatives of the S.E.C. did not respond to requests for comment.

Read MoreHome, baby cameras not secure worldwide

Ms. Weedon said that FireEye had not had time to assess the effects of the breaches to see whether the attackers had benefited financially.

In each case, attackers logged into their victim's email accounts using Tor, the anonymity software that routes web traffic through Internet Protocol addresses around the globe, which can make it difficult, but not impossible, to trace their origins. Last month, the F.B.I. seized dozens of criminal websites operating on the Tor network, in the largest operation of its kind.

"We don't have specific attribution but we feel strongly this is the work of Americans or Western Europeans who have worked in the investment banking industry here in the United States," Ms. Weedon said. "But it's hard because we don't have pictures of guys at their keyboards, just that they are native English speakers who can inject themselves seamlessly into email threads."

Ms. Weedon added, "If it's not an American, it is someone who has been involved in the investment banking community and knows its colloquialisms really well."