On February 14, 2023, a Russian national and owner of Moscow cybersecurity firm M-13 was found guilty of wire fraud, securities fraud and conspiracy to obtain unauthorized access to computers.
Vladislav Klyushin was charged along with four other men — Ivan Yermakov, Nikolai Rumiantcev, Mikhail Irzak and Igor Sladkov. However, Klyushin was the only one arrested and extradited to the United States, while the others remain at large.
The Kremlin-connected businessman’s scheme focused on insider trading. By obtaining and using information not known to the general public, it’s estimated that Klyushin and his co-conspirators made more than $80 million.
But how exactly did this happen? How did the group break digital locks to capture critical information and gain a stock market advantage? Here’s a look at how malicious actors started insider trading, and what it means for organizations.
How did threat actors make this happen?
This insider attack effort began in 2018 when authorities say Ivan Yermakov — an employee of M-13 and a Russian intelligence agent charged with interfering in the 2016 U.S. election — hacked into the computer systems of two vendors used by large companies to file reports with the Securities and Exchange Commission (SEC).
Using the information in reports not yet available to the public, Klyushin and his associates made stock purchases that generated ongoing revenue and minimized potential losses. For example, if quarterly reports showed an uptick in corporate profitability, malicious actors bought stock at a lower price and reaped the benefits as share prices increased once reports went public. This information also helped them avoid the natural downturns that come with stock market investing. If annual reports highlighted revenue loss leading to staff cuts, attackers could cut their losses by selling early at higher prices.
The group placed trades both for themselves and took a cut of the profits to place similar trades for clients.
What do these insider issues mean for organizations?
For organizations, this insider attack highlights three critical issues: Third-party risk, financial damage and the misuse of specialized knowledge.
The insider trading group didn’t go after corporate systems to obtain internal data. Instead, they targeted trusted third parties used by organizations to help complete and file quarterly and annual reports. What’s more, they didn’t take this data to destroy or sell it. Instead, they used it to generate returns on publicly traded markets.
This creates a new concern for businesses, where multiple degrees of separation exist between stolen data and significant outcomes. Consider a scenario where attackers breach an SEC-filing organization while avoiding detection. Malicious actors could spend months quietly viewing quarterly and annual reports, then using that data to generate steady gains in the stock market. If attackers are careful, they could make it seem as though these transactions were merely smart investment strategies rather than the result of stolen data.
While low-volume, individual stock trades using insider knowledge pose minimal risk to organizations, larger-scale efforts could have serious financial consequences.
Consider a company reporting a less-than-stellar fourth quarter to the SEC. If attackers compromise this information and use it to inform trades worth millions or tens of millions, the resulting panic and share sell-off could cause stock prices to artificially plummet ahead of revenue announcements. Once SEC reports are published, stocks may sink even further as worries about the company’s financial state intensify.
In the best-case scenario, enterprises see their stock value suddenly drop and then slowly climb back toward the mean. In the worst-case scenario, sudden sell-offs could lead to staff cuts, reputation damage and even business closure.
There’s also an additional concern around the use of specialized knowledge to empower these attacks.
Klyushin and his accomplices weren’t simply criminals. They were criminals with in-depth cybersecurity knowledge thanks to their work in the IT security sector. This experience gave them access to both specialized knowledge and a greater understanding of standard security policies. For example, they could access those used to govern relationships with third parties. Equipped with this information, attackers were better able to circumvent detection tools and access data unnoticed.
Where can companies improve protective processes?
When it comes to improving defense against potential insider trading, it all starts and ends with third parties. A three-pronged approach can help reduce total risk.
First, companies need to vet both current and prospective vendors and partners. This vetting includes an assessment of existing security controls and policies, an examination of any past breaches and their cause and the creation of service-level agreements that lay out vendor and client responsibilities in the event of a breach.
Next is threat assessment: Understanding where current vendor policies and frameworks may put companies at risk. For example, organizations must ensure that data at rest, in transit and in use is effectively encrypted. Otherwise, they may open themselves up to potential compromise. Partner security practices also play a role in this assessment. Do vendor staff have the training to recognize and respond to potential threat vectors?
Finally, companies must deploy tools capable of monitoring security risk at all points along the digital value chain. This approach provides the visibility needed to identify potential threats and take action before a compromise occurs.
By stealing data and acting as brokers for bad-faith actors, Russian threat actors were able to not only compromise the financial data of large enterprises but leverage this information to line their pockets and those of their associates.
This move away from more traditional smash-and-grab tactics speaks to an evolving threat landscape, one that focuses on quietly leveraging stolen data rather than trying to sell it for profit or hold it for ransom.
The result is a renewed need for corporate focus on third-party protection: Better vendor evaluations, improved threat assessments and increased visibility of third-party services can help companies close the door on insider trading.