April 5, 2023 By Douglas Bonderud 4 min read

On February 14, 2023, a Russian national and owner of Moscow cybersecurity firm M-13 was found guilty of wire fraud, securities fraud and conspiracy to obtain unauthorized access to computers.

Vladislav Klyushin was charged along with four other men — Ivan Yermakov, Nikolai Rumiantcev, Mikhail Irzak and Igor Sladkov. However, Klyushin was the only one arrested and extradited to the United States, while the others remain at large.

The Kremlin-connected businessman’s scheme focused on insider trading. By obtaining and using information not known to the general public, it’s estimated that Klyushin and his co-conspirators made more than $80 million.

But how exactly did this happen? How did the group break digital locks to capture critical information and gain a stock market advantage? Here’s a look at how malicious actors started insider trading, and what it means for organizations.

How did threat actors make this happen?

This insider attack effort began in 2018 when authorities say Ivan Yermakov — an employee of M-13 and a Russian intelligence agent charged with interfering in the 2016 U.S. election — hacked into the computer systems of two vendors used by large companies to file reports with the Securities and Exchange Commission (SEC).

Using the information in reports not yet available to the public, Klyushin and his associates made stock purchases that generated ongoing revenue and minimized potential losses. For example, if quarterly reports showed an uptick in corporate profitability, malicious actors bought stock at a lower price and reaped the benefits as share prices increased once reports went public. This information also helped them avoid the natural downturns that come with stock market investing. If annual reports highlighted revenue loss leading to staff cuts, attackers could cut their losses by selling early at higher prices.

The group placed trades both for themselves and took a cut of the profits to place similar trades for clients.

What do these insider issues mean for organizations?

For organizations, this insider attack highlights three critical issues: Third-party risk, financial damage and the misuse of specialized knowledge.

Third-party risk

The insider trading group didn’t go after corporate systems to obtain internal data. Instead, they targeted trusted third parties used by organizations to help complete and file quarterly and annual reports. What’s more, they didn’t take this data to destroy or sell it. Instead, they used it to generate returns on publicly traded markets.

This creates a new concern for businesses, where multiple degrees of separation exist between stolen data and significant outcomes. Consider a scenario where attackers breach an SEC-filing organization while avoiding detection. Malicious actors could spend months quietly viewing quarterly and annual reports, then using that data to generate steady gains in the stock market. If attackers are careful, they could make it seem as though these transactions were merely smart investment strategies rather than the result of stolen data.

Financial damage

While low-volume, individual stock trades using insider knowledge pose minimal risk to organizations, larger-scale efforts could have serious financial consequences.

Consider a company reporting a less-than-stellar fourth quarter to the SEC. If attackers compromise this information and use it to inform trades worth millions or tens of millions, the resulting panic and share sell-off could cause stock prices to artificially plummet ahead of revenue announcements. Once SEC reports are published, stocks may sink even further as worries about the company’s financial state intensify.

In the best-case scenario, enterprises see their stock value suddenly drop and then slowly climb back toward the mean. In the worst-case scenario, sudden sell-offs could lead to staff cuts, reputation damage and even business closure.

Specialized knowledge

There’s also an additional concern around the use of specialized knowledge to empower these attacks.

Klyushin and his accomplices weren’t simply criminals. They were criminals with in-depth cybersecurity knowledge thanks to their work in the IT security sector. This experience gave them access to both specialized knowledge and a greater understanding of standard security policies. For example, they could access those used to govern relationships with third parties. Equipped with this information, attackers were better able to circumvent detection tools and access data unnoticed.

Where can companies improve protective processes?

When it comes to improving defense against potential insider trading, it all starts and ends with third parties. A three-pronged approach can help reduce total risk.

First, companies need to vet both current and prospective vendors and partners. This vetting includes an assessment of existing security controls and policies, an examination of any past breaches and their cause and the creation of service-level agreements that lay out vendor and client responsibilities in the event of a breach.

Next is threat assessment: Understanding where current vendor policies and frameworks may put companies at risk. For example, organizations must ensure that data at rest, in transit and in use is effectively encrypted. Otherwise, they may open themselves up to potential compromise. Partner security practices also play a role in this assessment. Do vendor staff have the training to recognize and respond to potential threat vectors?

Finally, companies must deploy tools capable of monitoring security risk at all points along the digital value chain. This approach provides the visibility needed to identify potential threats and take action before a compromise occurs.

Brokering bad

By stealing data and acting as brokers for bad-faith actors, Russian threat actors were able to not only compromise the financial data of large enterprises but leverage this information to line their pockets and those of their associates.

This move away from more traditional smash-and-grab tactics speaks to an evolving threat landscape, one that focuses on quietly leveraging stolen data rather than trying to sell it for profit or hold it for ransom.

The result is a renewed need for corporate focus on third-party protection: Better vendor evaluations, improved threat assessments and increased visibility of third-party services can help companies close the door on insider trading.

More from Risk Management

Digital solidarity vs. digital sovereignty: Which side are you on?

4 min read - The landscape of international cyber policy continues to evolve rapidly, reflecting the dynamic nature of technology and global geopolitics. Central to this evolution are two competing concepts: digital solidarity and digital sovereignty.The U.S. Department of State, through its newly released International Cyberspace and Digital Policy Strategy, has articulated a clear preference for digital solidarity, positioning it as a counterpoint to the protectionist approach of digital sovereignty.What are the main differences between these two concepts, and why does it matter? Let’s…

A decade of global cyberattacks, and where they left us

5 min read - The cyberattack landscape has seen monumental shifts and enormous growth in the past decade or so.I spoke to Michelle Alvarez, X-Force Strategic Threat Analysis Manager at IBM, who told me that the most visible change in cybersecurity can be summed up in one word: scale. A decade ago, “'mega-breaches' were relatively rare, but now feel like an everyday occurrence.”A summary of the past decade in global cyberattacksThe cybersecurity landscape has been impacted by major world events, especially in recent years.…

It all adds up: Pretexting in executive compromise

4 min read - Executives hold the keys to the corporate kingdom. If attackers can gain the trust of executives using layered social engineering techniques, they may be able to access sensitive corporate information such as intellectual property, financial data or administrative control logins and passwords.While phishing remains the primary pathway to executive compromise, increasing C-suite awareness of this risk requires a more in-depth approach from attackers: Pretexting.What is pretexting?Pretexting is the use of a fabricated story or narrative — a “pretext” — to…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today