On February 14, 2023, a Russian national and owner of Moscow cybersecurity firm M-13 was found guilty of wire fraud, securities fraud and conspiracy to obtain unauthorized access to computers.

Vladislav Klyushin was charged along with four other men — Ivan Yermakov, Nikolai Rumiantcev, Mikhail Irzak and Igor Sladkov. However, Klyushin was the only one arrested and extradited to the United States, while the others remain at large.

The Kremlin-connected businessman’s scheme focused on insider trading. By obtaining and using information not known to the general public, it’s estimated that Klyushin and his co-conspirators made more than $80 million.

But how exactly did this happen? How did the group break digital locks to capture critical information and gain a stock market advantage? Here’s a look at how malicious actors started insider trading, and what it means for organizations.

How did threat actors make this happen?

This insider attack effort began in 2018 when authorities say Ivan Yermakov — an employee of M-13 and a Russian intelligence agent charged with interfering in the 2016 U.S. election — hacked into the computer systems of two vendors used by large companies to file reports with the Securities and Exchange Commission (SEC).

Using the information in reports not yet available to the public, Klyushin and his associates made stock purchases that generated ongoing revenue and minimized potential losses. For example, if quarterly reports showed an uptick in corporate profitability, malicious actors bought stock at a lower price and reaped the benefits as share prices increased once reports went public. This information also helped them avoid the natural downturns that come with stock market investing. If annual reports highlighted revenue loss leading to staff cuts, attackers could cut their losses by selling early at higher prices.

The group placed trades both for themselves and took a cut of the profits to place similar trades for clients.

What do these insider issues mean for organizations?

For organizations, this insider attack highlights three critical issues: Third-party risk, financial damage and the misuse of specialized knowledge.

Third-party risk

The insider trading group didn’t go after corporate systems to obtain internal data. Instead, they targeted trusted third parties used by organizations to help complete and file quarterly and annual reports. What’s more, they didn’t take this data to destroy or sell it. Instead, they used it to generate returns on publicly traded markets.

This creates a new concern for businesses, where multiple degrees of separation exist between stolen data and significant outcomes. Consider a scenario where attackers breach an SEC-filing organization while avoiding detection. Malicious actors could spend months quietly viewing quarterly and annual reports, then using that data to generate steady gains in the stock market. If attackers are careful, they could make it seem as though these transactions were merely smart investment strategies rather than the result of stolen data.

Financial damage

While low-volume, individual stock trades using insider knowledge pose minimal risk to organizations, larger-scale efforts could have serious financial consequences.

Consider a company reporting a less-than-stellar fourth quarter to the SEC. If attackers compromise this information and use it to inform trades worth millions or tens of millions, the resulting panic and share sell-off could cause stock prices to artificially plummet ahead of revenue announcements. Once SEC reports are published, stocks may sink even further as worries about the company’s financial state intensify.

In the best-case scenario, enterprises see their stock value suddenly drop and then slowly climb back toward the mean. In the worst-case scenario, sudden sell-offs could lead to staff cuts, reputation damage and even business closure.

Specialized knowledge

There’s also an additional concern around the use of specialized knowledge to empower these attacks.

Klyushin and his accomplices weren’t simply criminals. They were criminals with in-depth cybersecurity knowledge thanks to their work in the IT security sector. This experience gave them access to both specialized knowledge and a greater understanding of standard security policies. For example, they could access those used to govern relationships with third parties. Equipped with this information, attackers were better able to circumvent detection tools and access data unnoticed.

Where can companies improve protective processes?

When it comes to improving defense against potential insider trading, it all starts and ends with third parties. A three-pronged approach can help reduce total risk.

First, companies need to vet both current and prospective vendors and partners. This vetting includes an assessment of existing security controls and policies, an examination of any past breaches and their cause and the creation of service-level agreements that lay out vendor and client responsibilities in the event of a breach.

Next is threat assessment: Understanding where current vendor policies and frameworks may put companies at risk. For example, organizations must ensure that data at rest, in transit and in use is effectively encrypted. Otherwise, they may open themselves up to potential compromise. Partner security practices also play a role in this assessment. Do vendor staff have the training to recognize and respond to potential threat vectors?

Finally, companies must deploy tools capable of monitoring security risk at all points along the digital value chain. This approach provides the visibility needed to identify potential threats and take action before a compromise occurs.

Brokering bad

By stealing data and acting as brokers for bad-faith actors, Russian threat actors were able to not only compromise the financial data of large enterprises but leverage this information to line their pockets and those of their associates.

This move away from more traditional smash-and-grab tactics speaks to an evolving threat landscape, one that focuses on quietly leveraging stolen data rather than trying to sell it for profit or hold it for ransom.

The result is a renewed need for corporate focus on third-party protection: Better vendor evaluations, improved threat assessments and increased visibility of third-party services can help companies close the door on insider trading.

More from Risk Management

Are you ready to build your organization’s digital trust?

4 min read - As organizations continue their digital transformation journey, they need to be able to trust that their digital assets are secure. That’s not easy in today’s environment, as the numbers and sophistication of cyberattacks increase and organizations face challenges from remote work and insider behavior. Digital trust can make your organization’s digital transformation stronger. A lack of digital trust can do irreparable harm. However, according to ISACA’s State of Digital Trust 2023 report, too many organizations struggle to define and implement…

Most organizations want security vendor consolidation

4 min read - Cybersecurity is complicated, to say the least. Maintaining a strong security posture goes far beyond knowing about attack groups and their devious TTPs. Merely understanding, coordinating and unifying security tools can be challenging. We quickly passed through the “not if, but when” stage of cyberattacks. Now, it’s commonplace for companies to have experienced multiple breaches. Today, cybersecurity has taken a seat in core business strategy discussions as the risks and costs have risen dramatically. For this reason, 75% of organizations…

How IBM secures the U.S. Open

2 min read - More than 15 million tennis fans around the world visited the US Open app and website this year, checking scores, poring over statistics and watching highlights from hundreds of matches over the two weeks of the tournament. To help develop this world-class digital experience, IBM Consulting worked closely with the USTA, developing powerful generative AI models that transform tennis data into insights and original content. Using IBM watsonx, a next-generation AI and data platform, the team built and managed the entire…

How NIST Cybersecurity Framework 2.0 Tackles Risk Management

4 min read - The NIST Cybersecurity Framework 2.0 (CSF) is moving into its final stages before its 2024 implementation. After the public discussion period to inform decisions for the framework closed in May, it’s time to learn more about what to expect from the changes to the guidelines. The updated CSF is being aligned with the Biden Administration’s National Cybersecurity Strategy, according to Cherilyn Pascoe, senior technology policy advisor with NIST, at the 2023 RSA Conference. This sets up the new CSF to…