BAE Systems Applied Intelligence has revealed details of a 2013 cyber attack on a large US hedge fund that caused the loss of millions of dollars. Hackers used malware to insert delays of hundreds of milliseconds into the firm’s trading algorithms, disrupting high-speed trading at the unnamed hedge fund for at least two months, and enabling them to steal sensitive trading data. Paul Henninger, global product director at BAE Systems Applied Intelligence, told CNBC that the hack was one of the most complex that he’d seen.
The attack on the hedge fund is one of an increasing number to seek to profit from attacking and exploiting business processes rather than by sabotaging systems, stealing intellectual property, or targeting data like credit card records.
Bloomberg reports that this attack is only one of many similar hacks, and that ‘computer networks at dozens of banks, hedge funds, law firms and other Wall Street companies have been infiltrated by hackers mainly from Eastern European countries’.
CNBC notes that the ‘new wave of attacks includes other assaults on hedge funds seemingly designed to uncover their trading strategies, and implies the existence of cybercriminals with the technical savvy to attack highly secure computer networks and, at the same time, the financial and market savvy to replicate intricate high-speed trading strategies.’
The economic implications of such cyber crimes are hard to ignore. Cyber criminals with the technical ability to attack such secure systems and the financial knowledge to make use of the information are relatively scarce, but the potential for disruption is obvious: with global banking reliant on electronic systems, the havoc that could be caused is immense.
According to BAE, this particular attack began with a spear phishing email. Targeted traders opened apparently legitimate communications which contained malicious links, and inadvertently allowed malware to spread.
This demonstrates once again that for all the secure systems and software you have in place, your organisation will still be at risk if you fail to take into account the potential for human error. Effective information security must cover people, process and technology. Staff awareness training is essential to ensure that your employees remain aware of the risks you face, and that your organisation is adequately protected from attack.
IT Governance provides a wide range of training and staff awareness courses. See our information pages for further details>>