The Securities and Exchange Commission (SEC) are investigating notorious hacking group FIN4 over allegations that they have been using hacked information to profit from share trading.

To make matters even more interesting, Reuters quotes “people familiar with the matter“ as saying that the SEC has approached at least eight listed companies to provide details of their data breaches.

As correctly noted by the report, the move to approach major financial companies for details of breaches is an unusual move.

FIN4 first came to attention back in December when FireEye, Inc.released an intelligence report that detailed how the financially motivated “threat group” had been carrying out attacks against publicly traded companies in an attempt to game the markets.

The December report provides details on how FIN4 has a serious knowledge of certain industries and their practices, and that the group has been collecting information from nearly 100 publicly traded companies and their advisory firms, in an attempt to obtain insider information that would help them in trading.

Former head of Internet enforcement at the SEC John Reed Stark told Reuters that the request for information from companies in relation to possible breaches with an insider trading probe was a first, and further added “The SEC is interested because failures in cybersecurity have prompted a dangerous, new method of unlawful insider trading.”

Hacking

The methodology used by FIN4 does enter the fiction-worthy intrigue league, with the group not utilizing malware but instead relying heavily on highly-targeted social engineering tactics and deep subject-matter expertise to deliver weaponized versions of legitimate corporate files; if that doesn’t make a lot of sense, they’re actually monitoring subjects, gaining entrance to premises of targeted companies (both legally and illegally) to plant files and software, and further finding other ways to steal login credentials needed to access the data they’re after.

Suffice to say, these are not your typical basement-dwelling script kiddies doing it for the Lulz.

FIN4 not only knows how to get into companies to obtain the data, the data they obtain is often highly specific, including product development, M&A strategies, legal issues, and purchasing processes, all of which can be used to manipulate trades, and naturally for the group to make money.

It’s not clear from the report how long the SEC investigation has been in progress, or whether it is close to tracking down the members of FIN4.

Image credit: viirok/Flickr/CC by 2.0