Cybersecurity firm says large hedge fund attacked

Who's behind the unprecedented hedge fund hack
Who's behind the unprecedented hedge fund hack

Editor's Note: BAE Systems admitted that it "incorrectly presented" the facts and circumstances it supplied in this report after its publication. Please see this follow-up report.

In an audacious and sophisticated attack, cybercriminals acting in late 2013 installed a malicious computer program on the servers of a large hedge fund, crippling its high-speed trading strategy and sending information about its trades to unknown offsite computers, CNBC has learned.

The attack, which was thwarted this year by technicians at BAE Systems Applied Intelligence, has not been previously disclosed. It represents a new level of intrusions against some of the world's most high-flying financial firms.

BAE Systems declined to provide the name of the hedge fund, which was BAE's client.

Unprecedented cyberattack stopped
Unprecedented cyberattack stopped

Cyberattacks against major corporations such as Target and Neiman Marcus have dominated the news in recent months, but in those cases attackers have typically sought relatively easy-to-exploit data such as credit card numbers.

In the new case, attackers went after the hedge fund's trade order entry system, seeking to disrupt the fund's trading strategy and to send details of the trades themselves outside the firm.

Paul Henninger, global product director at BAE Systems Applied Intelligence, said the hack represents one of the most complex he's seen in a new wave of attacks designed to extract business strategy information from firms in a range of industries.

Read More Crack the code: Best hackers come from these universities

The new wave of attacks includes other assaults on hedge funds seemingly designed to uncover their trading strategies, and implies the existence of cybercriminals with the technical savvy to attack highly secure computer networks and, at the same time, the financial and market savvy to replicate intricate high-speed trading strategies.

"It's pretty amazing," Henninger said in an interview Wednesday from London. "The level of business sophistication involved as opposed to technical sophistication involved was something we had not seen before." He said BAE technicians in recent weeks have also spotted a cyberattack that used malware to take over a large property and casualty insurer's underwriting system. Using the compromised system, the criminals created fake insurance policies and filed claims against them, he said.

'The Perfect Crime'

weerapatkiatdumrong | Getty Images

Henninger said such business-savvy financial attacks can represent "the perfect crime," because they are extremely difficult to trace to obscure locations around the globe, and because companies can be reluctant to go to law enforcement. "It often takes a while for firms to get comfortable with the idea of exposing what is in effect their dirty laundry to a law enforcement investigation," Henninger said. "You can imagine the impact potentially on investor confidence."

He said he does not know if the hedge fund reported the details of the attack—which he estimated cost the firm millions of dollars over just a few months' time—to the SEC or the FBI.

Officials from the SEC and FBI declined to comment on this specific case.

Read More Stealing the show: Cybersecurity stock valuations on the rise

The combination of technological and financial savvy required to investigate such a crime, and the mishmash of overlapping global jurisdictions possibly involved, would make the hedge fund hack a daunting investigative challenge for any civil or law enforcement agency. But both the SEC and the FBI have stepped up efforts in recent months to coordinate with victims of complicated cyberassaults.

The Securities and Exchange Commission has been prodding hedge funds to beef up cybersecurity, announcing an effort at the beginning of 2014 to review security policies. "We will be looking at policies on IT training, vendor access and vendor due diligence, and what information you have on any vendors," said Jane Jarcho, the national associate director for the SEC's investment adviser exam program at the time, according to Reuters.

Similarly in February, FBI Director James Comey told a cybersecurity conference in San Francisco that he wants private sector companies to provide information to the FBI even when they're uncomfortable coming forward. "We understand that you are reluctant to report intrusions, either because you're worried the government will start rummaging around your networks or because you fear your reputation will take a hit in the marketplace," he said. But he emphasized that cooperation is the only way for the FBI to get the information it wants. "We need to examine patterns and behaviors, to determine how they operate, and how best to stop them. We must build an intelligence-driven predictive capability."

Gone Phishing

The newly disclosed hedge fund attack began in late 2013, when hackers sent a so-called "spear phishing" email—a seemingly innocuous message that, when opened, inserted the malware onto the hedge fund's servers. The spear phishing emails appeared as if they were about the capital markets industry, in order to make it more likely that the hedge fund employees would click on them.

The details of the attack were provided by BAE Systems and were not independently verifiable by CNBC.

Over the months after the email was sent, financial analysts and IT managers at the firm noticed two problems that they did not initially realize were connected. At first, the firm noticed that its algorithmic trading strategy—a computer-based trading system that depended on high-speed trades—had suddenly become ineffective. Upon investigation, the traders discovered an unexpected lag time between when they were issuing trade orders and when those orders were executed. The delays the attackers added to the trading software ranged from hundreds of microseconds to the low-single-digit milliseconds. BAE's analysts concluded the attackers were trying to create tiny delays in the hundreds of microsecond range.

Read More US companies seek cyber experts for top jobs, board seats

At the same time, the firm's IT staff observed suspicious behavior on their computer network—files being moved on the system in ways that couldn't be explained by normal business operations. At that point, the firm brought in BAE Systems to analyze the IT problem, Henninger said.

Over subsequent weeks, the team found that the malware had been programmed to insert a random lag into the firm's order entry system of just a few milliseconds. The malware also recorded the details of those orders. "That piece of malware was undermining the effectiveness of that trading strategy and it was exposing the details of that trading strategy to someone who could easily copy that information out of the network and replicate it, trade ahead of it, trade around it, et cetera," said Henninger.

He said BAE systems does not know what happened to the trading data after it left the hedge fund's computers, but that the most likely explanation is that the intruders were able to reap significant profits from trades of their own in financial markets.

Henninger said the malware represented a multimillion dollar problem for the hedge fund. "This was not something that was a minor issue for them," he said. "This was something that was getting reviewed at the board level of this hedge fund precisely because it was having a material impact on performance across the portfolio."

Public disclosure of illicit trading based on hacked information is exceedingly rare.

In 2010, however, the SEC obtained summary judgment against a computer hacker for insider trading. In that case, the hacker, a Ukrainian citizen, penetrated the servers of an investor relations service that was preparing a press release for IMS Health Inc. According to the SEC, the hacker discovered that IMS Health was preparing to announce negative earnings—and executed several options trades that ultimately generated $287,346 in profits. The defendant was ordered to pay a penalty of about $580,000.

—By CNBC's Eamon Javers.