Computer hackers taking aim at insider information at health care companies

A surgically precise e-mail hacking effort is targeting health care companies in an effort to steal corporate secrets for insider stock trading.

While the hacking techniques are relatively common, experts at FireEye, the Silicon Valley IT security firm that revealed the hacking group Monday, were surprised by the attackers' business savvy and sustained attention on specific targets. The focus allowed them to breach e-mail accounts of top executives, lawyers, bankers, consultants and investor-relations departments at more than 100 large companies, which were not named.

Medical device firms and pharmaceutical makers are being targeted because they're prone to large stock swings from disclosures like announcements of potential mergers, product approvals and clinical trial results. Nearly 70 percent of the companies in the report were publicly traded health care companies, and more than a quarter of them make medical devices and equipment.

Such precise targeting of individuals with financial information separated this group of hackers from others who might be interested in stealing national secrets or causing general havoc.

So far, no trades of stock have been linked to information stolen from executives' e-mails by FIN4. FireEye said it has informed the FBI about the attacks it has detected.

"Given that this group is so tailored in its approach, and they seem very knowledgeable about how the markets work, to us [insider trading] was the only plausible explanation for what we were seeing," said Jen Weedon, manager of threat intelligence for FireEye, which dubbed the hacking group FIN4.

FireEye is an influential cybersecurity firm that counts more than 150 of the Fortune 500 as clients. In January it paid $1 billion to buy computer-forensics company Mandiant.

The attacks are not related to the cybersecurity of implantable insulin pumps or other medical devices, and they don't involve infecting computers with malicious code, as has happened at retail chains and hospitals in recent months. Rather, the vulnerability being exploited is human — specifically, the inability of computer users to tell a legitimate password prompt from a fake one.

Like all "phishing" attacks, FIN4's targets are tricked into entering their e-mail addresses and passwords into computer windows designed to look legitimate. In reality, the password requests are fake, and the information entered by the target CEO, banker or lawyer is sent directly to a computer controlled by the attackers. The hacker can then disguise his or her identity using the popular Tor software to browse the target's e-mail, and even reply. One hallmark of a FIN4 attack is the ability of a hacker to slide into conversation undetected.

In some cases, the attacker will take control of an e-mail account and then respond to a group conversation in the same tone and language as the victim. The hacker will then attach an official document stolen from past e-mails and send it to the group, but the document has been infected to cause the phishing prompt to appear on others' screens when they open the file. Often the original victim's computer will have been modified to automatically delete e-mails that contain words like "hacked."

In one case highlighted by FireEye, attackers were able to simultaneously hack e-mail accounts at five different companies all involved in a merger that wasn't announced for months.

Guarding against such intrusions is difficult even if users follow all the right steps, like not clicking on an unexpected e-mail attachment or link, said Brian Isle, former CEO of Minneapolis cybersecurity firm Adventium Labs.

Joe Carlson • 612-673-4779