Cyberattacks against accounting software firm Wolters Kluwer and the City of Baltimore in May showed how the newest wave of malicious hacking can have significant, often...Technologyread more
The European parliamentary election is the second largest democratic exercise in the world.Europe Newsread more
Biden had criticized Kim Jong Un as a "dictator" and a "tyrant" at a recent rally in Philadelphia. North Korean state media responded by calling Biden a "fool of low IQ" among...Politicsread more
Buybacks have gotten a bad rap from both Republicans and Democrats. But stocks would be trading at a massive discount without them.Marketsread more
Fiat Chrysler and France's Renault could soon partner up to take on the sweeping changes to the global auto industry, according to a report in the Financial Times. The...Autosread more
Microsoft shares have gained 133% since November 2015, outperforming a tech "basket of unicorns" over that stretch.Technologyread more
The president's state visit comes amid tensions with carmaker Toyota over potential auto tariffs. Trump has repeatedly threatened Japanese and European carmakers with tariffs.Traderead more
The IRS is about to release a new draft of Form W-4, which will more closely reflect the changes stemming from the Tax Cuts and Jobs Act. For workers, that means they'll need...Personal Financeread more
The Mega Millions jackpot has spilled over $400 million. It would be the ninth largest winning since the game began in 2002.Personal Financeread more
Trump was speaking at a meeting of Japanese business leaders in Tokyo during his state visit to Japan on Saturday.Marketsread more
The biggest U.S. gasoline price surge in years is running out of steam just in time for the start of the summer driving season.Energyread more
SAN FRANCISCO — For more than a year, a group of cybercriminals has been pilfering email correspondence from more than 100 organizations — the vast majority publicly traded health care or pharmaceutical companies — in apparent pursuit of information significant enough to affect global financial markets.
The group's activities, detailed in a report released Monday morning by FireEye, the Silicon Valley security company, shed light on a new breed of criminals intent on using their hacking skills to gain a market edge in the pharmaceutical industry, where news of clinical trials, regulatory decisions or safety or legal issues can affect a company's stock price.
Starting in mid-2013, FireEye began responding to intrusions at publicly traded companies — two-thirds of them, it said, in the health care and pharmaceutical sector — as well as advisory firms, such as investment banking offices or companies that provide legal or compliance services.
The attackers, whom FireEye named "Fin4" because of their focus on the financial sector, appear to be native English speakers, based in North America or Western Europe, who are well-versed in the Wall Street vernacular. Their email lures are precisely tailored toward each victim, written in flawless English and carefully worded to sound as if they were sent by someone with an extensive background in investment banking and with knowledge of the terms those in the industry employ.
Different groups of victims — frequently including top-level executives; legal counsel; regulatory, risk and compliance officers; researchers; and scientists — are sent different emails. Some senior executives have been duped into clicking on links sent from the accounts of longtime clients, in which the supposed client reveals that they found an employee's negative comments about the executive in an investment forum.
In other cases, attackers have used confidential company documents, which they had previously stolen, as aids in their deception. In some incidents, the attackers have simply embedded generic investment reports in their emails.
In each case, the links or attachments redirect their victim to a fake email login page, designed to steal the victim's credentials, so that the attacker can log into and read the contents of their emails.
Read MoreWebcam hackers may be watching you
The Fin4 attackers maintain a light footprint. Unlike other well-documented attacks originating in China or Russia, the attackers do not use malware to crawl further and further into an organization's computer servers and infrastructure. They simply read a person's emails, and set rules for the infiltrated inboxes to automatically delete any email that contains words such as "hacked," "phished," or "malware," to increase the time before their victims learn their accounts have been compromised.
"Given the types of people they are targeting, they don't need to go into the environment; the senior roles they target have enough juicy information in their inbox," said Jen Weedon, a FireEye threat intelligence manager. "They are after information protected by attorney-client privilege, safety reports, internal documents about investigations and audits."
Because the attackers do not deploy malware, and communicate in correct English, they can be tricky to track. Ms. Weedon said FireEye first began responding to Fin4 attacks in mid-2013 but did not put together its findings until five months ago, when a few of its analysts concluded the attacks did not appear to be the work of familiar attackers in Russia or China, and warranted further investigation.
FireEye would not name the victims, citing nondisclosure agreements with its clients, but said that all but three of the affected organizations are publicly listed on the New York Stock Exchange or Nasdaq, while the others are listed on exchanges outside the United States.
Half of these companies fall into the biotechnology sector; 13 percent sell medical devices; 12 percent sell medical instruments and equipment; 10 percent manufacture drugs; and a small minority of targets include medical diagnostics and research organizations, health care providers and organizations that offer health care planning services.
FireEye said it had notified the victims, as well as the Federal Bureau of Investigation, but did not know whether other organizations like the Securities and Exchange Commission were investigating.
Representatives of the F.B.I. declined to comment. Representatives of the S.E.C. did not respond to requests for comment.
Ms. Weedon said that FireEye had not had time to assess the effects of the breaches to see whether the attackers had benefited financially.
In each case, attackers logged into their victim's email accounts using Tor, the anonymity software that routes web traffic through Internet Protocol addresses around the globe, which can make it difficult, but not impossible, to trace their origins. Last month, the F.B.I. seized dozens of criminal websites operating on the Tor network, in the largest operation of its kind.
"We don't have specific attribution but we feel strongly this is the work of Americans or Western Europeans who have worked in the investment banking industry here in the United States," Ms. Weedon said. "But it's hard because we don't have pictures of guys at their keyboards, just that they are native English speakers who can inject themselves seamlessly into email threads."
Ms. Weedon added, "If it's not an American, it is someone who has been involved in the investment banking community and knows its colloquialisms really well."