Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

1/16/2019
09:35 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now
50%
50%

Justice Department Indicts 2 Ukrainian Nationals With Hacking SEC

The Justice Department has charged two Ukrainian nationals with hacking into the SEC's EDGAR systems and accessing sensitive company reports and other data before the information was made public.

The US Justice Department has indicted two Ukrainian nationals with attacking the computer networks of the Securities and Exchange Commission (SEC) and accessing thousands of sensitive company documents, and then selling that data to others or trading on this insider information.

The two men, Artem Radchenko, 27, and Oleksandr Ieremenko, 26, who both live in Kiev, face a slew of charges stemming from the 16-count indictment, including securities fraud conspiracy, wire fraud conspiracy, computer fraud conspiracy, wire fraud and computer fraud, according to the Justice Department. The two remain at large.

Together, the two used a series of cyberattacks to target the SEC's Electronic Data Gathering, Analysis and Retrieval system, which is also known as EDGAR. This database contains thousands of sensitive corporate documents, including quarterly and annual earnings reports, as well as other data such as disclosures for companies considering an initial public offering (IPO).

(Source: SEC)
(Source: SEC)

Specifically, between February 2016 to March 2017, Radchenko and Ieremenko, as well as other individuals not named in the indictment, targeted what is called test filings within the EDGAR system. These tests allow companies to preview what disclosures will be released, but they also contain much of the same information that is found in the public version of the documents.

It's these test filings documents that were stolen. That data was then sold to others or used to conduct stock trades using financial information that was not available to the general public.

To gain access to the SEC and EDGAR, Radchenko and Ieremenko used a number of different techniques and cyberattacks to penetrate the IT systems, including phishing attacks, malware planted on servers and directory traversal attacks, which involve accessing the restricted directories of a web server's root directory and then executing commands within the server. This then allows the attacker to access restricted files, where sensitive data is stored.

Once the information was stolen, the data was used to make a series of stock trades based on the test documents. For example, on May 19, 2016, a publicly traded company uploaded information to the EDGAR database at 3:32 p.m. Eastern time. About six minutes later, that report was stolen and uploaded to a server in Lithuania. In a few minutes, about $2.4 million shares of the company were bought and the company then announced record earnings the same day at 4:02 p.m.

The next day, the stock purchased with stolen data was sold for a profit of more than $270,000, according to the Justice Department.

"The defendants charged in the indictment announced today engaged in a sophisticated hacking and insider trading scheme to cheat the securities markets and the investing public," Craig Carpenito, the US Attorney for New Jersey, wrote in a January 15 statement.

In 2017, Ieremenko was previously indicted, along with several others, with stealing press releases and other statements that contained confidential and non-public financial information from the servers of newswire companies. Again, the people involved profited from buying and selling stock based on these details.

Of the new charges filed against Radchenko and Ieremenko this week, the most serious are the wire fraud conspiracy and substantive wire fraud counts, which carry a maximum penalty of 20 years in federal prison and a $250,000 maximum fine.

Related posts:

— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-37759
PUBLISHED: 2021-07-31
A Session ID leak in the DEBUG log file in Graylog before 4.1.2 allows attackers to escalate privileges (to the access level of the leaked session ID).
CVE-2021-37760
PUBLISHED: 2021-07-31
A Session ID leak in the audit log in Graylog before 4.1.2 allows attackers to escalate privileges (to the access level of the leaked session ID).
CVE-2020-26564
PUBLISHED: 2021-07-31
ObjectPlanet Opinio before 7.15 allows XXE attacks via three steps: modify a .css file to have <!ENTITY content, create a .xml file for a generic survey template (containing a link to this .css file), and import this .xml file at the survey/admin/folderSurvey.do?action=viewImportSurvey['importFil...
CVE-2020-26565
PUBLISHED: 2021-07-31
ObjectPlanet Opinio before 7.14 allows Expression Language Injection via the admin/permissionList.do from parameter. This can be used to retrieve possibly sensitive serverInfo data.
CVE-2020-26806
PUBLISHED: 2021-07-31
admin/file.do in ObjectPlanet Opinio before 7.15 allows Unrestricted File Upload of executable JSP files, resulting in remote code execution, because filePath can have directory traversal and fileContent can be valid JSP code.