April 5, 2023 By Douglas Bonderud 4 min read

On February 14, 2023, a Russian national and owner of Moscow cybersecurity firm M-13 was found guilty of wire fraud, securities fraud and conspiracy to obtain unauthorized access to computers.

Vladislav Klyushin was charged along with four other men — Ivan Yermakov, Nikolai Rumiantcev, Mikhail Irzak and Igor Sladkov. However, Klyushin was the only one arrested and extradited to the United States, while the others remain at large.

The Kremlin-connected businessman’s scheme focused on insider trading. By obtaining and using information not known to the general public, it’s estimated that Klyushin and his co-conspirators made more than $80 million.

But how exactly did this happen? How did the group break digital locks to capture critical information and gain a stock market advantage? Here’s a look at how malicious actors started insider trading, and what it means for organizations.

How did threat actors make this happen?

This insider attack effort began in 2018 when authorities say Ivan Yermakov — an employee of M-13 and a Russian intelligence agent charged with interfering in the 2016 U.S. election — hacked into the computer systems of two vendors used by large companies to file reports with the Securities and Exchange Commission (SEC).

Using the information in reports not yet available to the public, Klyushin and his associates made stock purchases that generated ongoing revenue and minimized potential losses. For example, if quarterly reports showed an uptick in corporate profitability, malicious actors bought stock at a lower price and reaped the benefits as share prices increased once reports went public. This information also helped them avoid the natural downturns that come with stock market investing. If annual reports highlighted revenue loss leading to staff cuts, attackers could cut their losses by selling early at higher prices.

The group placed trades both for themselves and took a cut of the profits to place similar trades for clients.

What do these insider issues mean for organizations?

For organizations, this insider attack highlights three critical issues: Third-party risk, financial damage and the misuse of specialized knowledge.

Third-party risk

The insider trading group didn’t go after corporate systems to obtain internal data. Instead, they targeted trusted third parties used by organizations to help complete and file quarterly and annual reports. What’s more, they didn’t take this data to destroy or sell it. Instead, they used it to generate returns on publicly traded markets.

This creates a new concern for businesses, where multiple degrees of separation exist between stolen data and significant outcomes. Consider a scenario where attackers breach an SEC-filing organization while avoiding detection. Malicious actors could spend months quietly viewing quarterly and annual reports, then using that data to generate steady gains in the stock market. If attackers are careful, they could make it seem as though these transactions were merely smart investment strategies rather than the result of stolen data.

Financial damage

While low-volume, individual stock trades using insider knowledge pose minimal risk to organizations, larger-scale efforts could have serious financial consequences.

Consider a company reporting a less-than-stellar fourth quarter to the SEC. If attackers compromise this information and use it to inform trades worth millions or tens of millions, the resulting panic and share sell-off could cause stock prices to artificially plummet ahead of revenue announcements. Once SEC reports are published, stocks may sink even further as worries about the company’s financial state intensify.

In the best-case scenario, enterprises see their stock value suddenly drop and then slowly climb back toward the mean. In the worst-case scenario, sudden sell-offs could lead to staff cuts, reputation damage and even business closure.

Specialized knowledge

There’s also an additional concern around the use of specialized knowledge to empower these attacks.

Klyushin and his accomplices weren’t simply criminals. They were criminals with in-depth cybersecurity knowledge thanks to their work in the IT security sector. This experience gave them access to both specialized knowledge and a greater understanding of standard security policies. For example, they could access those used to govern relationships with third parties. Equipped with this information, attackers were better able to circumvent detection tools and access data unnoticed.

Where can companies improve protective processes?

When it comes to improving defense against potential insider trading, it all starts and ends with third parties. A three-pronged approach can help reduce total risk.

First, companies need to vet both current and prospective vendors and partners. This vetting includes an assessment of existing security controls and policies, an examination of any past breaches and their cause and the creation of service-level agreements that lay out vendor and client responsibilities in the event of a breach.

Next is threat assessment: Understanding where current vendor policies and frameworks may put companies at risk. For example, organizations must ensure that data at rest, in transit and in use is effectively encrypted. Otherwise, they may open themselves up to potential compromise. Partner security practices also play a role in this assessment. Do vendor staff have the training to recognize and respond to potential threat vectors?

Finally, companies must deploy tools capable of monitoring security risk at all points along the digital value chain. This approach provides the visibility needed to identify potential threats and take action before a compromise occurs.

Brokering bad

By stealing data and acting as brokers for bad-faith actors, Russian threat actors were able to not only compromise the financial data of large enterprises but leverage this information to line their pockets and those of their associates.

This move away from more traditional smash-and-grab tactics speaks to an evolving threat landscape, one that focuses on quietly leveraging stolen data rather than trying to sell it for profit or hold it for ransom.

The result is a renewed need for corporate focus on third-party protection: Better vendor evaluations, improved threat assessments and increased visibility of third-party services can help companies close the door on insider trading.

More from Risk Management

Ransomware payouts hit all-time high, but that’s not the whole story

3 min read - Ransomware payments hit an all-time high of $1.1 billion in 2023, following a steep drop in total payouts in 2022. Some factors that may have contributed to the decline in 2022 were the Ukraine conflict, fewer victims paying ransoms and cyber group takedowns by legal authorities.In 2023, however, ransomware payouts came roaring back to set a new all-time record. During 2023, nefarious actors targeted high-profile institutions and critical infrastructure, including hospitals, schools and government agencies.Still, it’s not all roses for…

GenAI: The next frontier in AI security threats

3 min read - Threat actors aren’t attacking generative AI (GenAI) at scale yet, but these AI security threats are coming. That prediction comes from the 2024 X-Force Threat Intelligence Index. Here’s a review of the threat intelligence types underpinning that report.Cyber criminals are shifting focusIncreased chatter in illicit markets and dark web forums is a sign of interest. X-Force hasn’t seen any AI-engineered campaigns yet. However, cyber criminals are actively exploring the topic. In 2023, X-Force found the terms “AI” and “GPT” mentioned…

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today