Chinese traders who hacked law firms’ data hit with nearly $9 million judgement in SEC case
Thursday, May 11, 2017
Posted by: Brian Monroe
By Brian Monroe
May 11, 2017
The chief regulator of the United States securities sector has won a nearly $9 million judgement against a Macau-based cyber gang for breaching prominent New York-based law firms and stealing and trading on non-public data on upcoming mergers, resulting in millions of dollars in illicit profits.
In the scheme first unveiled by federal investigators in December, Iat Hong, Bo Zheng and Chin Hung, targeted seven unnamed New York law firms, eventually busting their way into two firms which provided legal and advisory services to companies in the mergers and acquisitions (M&A) space. The gang then used the law firms' stolen, non-public information to buy stock in companies targeted for mergers or acquisitions.
In a ruling released last week, the Securities Exchange Commission (SEC) won penalties and judgements against the group totaling $8.9 million, with the Southern District of New York District Judge Valerie Caproni also issuing an order freezing any assets the group has in the U.S.
The judge stated that the evidence “sufficiently demonstrates” the group “hacked into the nonpublic networks of two New York-headquartered law firms and stole, through deception, confidential information covering several publicly-traded companies” in the M&A realm.
The group then “reaped illegal profits by trading on the stolen, material nonpublic information,” according to the nine-page default judgement. The final penalty figures are so high because their actions, and the securities laws at play, allow the fines to be triple the profits the traders originally garnered.
As a result of the insider information pilfered from the networks and servers of the two punctured law firms, the group bought shares in five publicly-traded companies before major deals between April 2014 and late 2015, eventually garnering illicit profits of $4 million, according to court documents.
Though this December attack was against a law firm, the hack was a warning to all manner of entities involved in analyzing, safeguarding or auditing non-public data – including financial institutions with business analysts and securities trading arms – that they must redouble their cyber defenses.
More broadly, hackers are increasingly painting a bullseye on the virtual defenses of law firms, attempting to gain access to what legal experts call a “treasure trove” of sensitive, material and confidential information on everything from mergers to patents and punitive lawsuits.
The concern by law firms is further acknowledgement of the ever-increasing aggressiveness of cyber attackersand the reality that the countermeasures and responses to such incursions has at times been shoddy.
Law firms, particularly smaller operations, may also be hampered by a lack of budgets, staff or expertise on the cyber front.
Law firms a tempting target of confidential, material information
Here are some examples of information hackers would find attractive at a law firm and why:
· Financial disclosures: law firms typically review quarterly and annual reports and information on behalf of clients. This information is sensitive and secret until it is publicly released. If a hacker gets their hands on those financials, they could use it for insider trading, espionage, and blackmail. The hackers could also just sell the secret technical information directly to a competing company, or provide the information for free on the internet to harm the company.
· Litigation leak: This could be part and parcel of an annual report as well, but if hackers can get details on the status of current or upcoming litigation, either outcomes, strategies or costs, the groups can blackmail the company or sell secrets to opposing legal teams, particularly if the issues could have a material effect on the bottom line.
· Purloined patents: “A lot of companies use law firms to seek patents,” Pinson said. “But until the company obtains a patent and it’s protected, all they are are trade secrets. If someone could gain access to non-patented trade secrets, it could be a race to the patent office.” The hackers could also just sell the information to a company directly who wants to use the technology without having to pay for rights to use it or give credit to the originating company.
· Nosy negotiations: Another example would be, say, when a company is negotiating for lease rights tied to development of a natural gas field or similar such deal where multiple firms are bidding for a slice of a potentially profitable pie. If one entity can get insight into the monies available to other companies, their negotiation strategies or even some of the secret, attorney client information a firm doesn’t want getting out, it could give a major advantage to an operation.
Attack a ‘wake-up call’ to groups holding sensitive M&A data
The group in this latest hack attack faces a 13-count indictment with charges including insider trading, computer intrusion and wire fraud. The insider trading charges alone carry 20-year sentences. The charges were brought in connection with the President’s Financial Fraud Enforcement Task Force.
Once the hackers obtained access to the law firms’ networks, they specifically parsed out and targeted the “email accounts of law firm partners who worked on high-profile M&A transactions,” according to prosecutors. “In each case, one of the two infiltrated law firms represented either the target or a contemplated or actual acquirer in the transaction.”
“This case of cyber meets securities fraud should serve as a wake-up call for law firms around the world: you are and will be targets of cyber hacking, because you have information valuable to would-be criminals,” said Manhattan U.S. Attorney Preet Bharara in Decemmber.
The companies the hackers traded on included a possible acquisition of U.S.-based drug firm Intermune, a contemplated merger between technology firm Intel and circuit manufacturer Altera, and an acquisition of Borderfree Inc., an e-commerce company, by Pitney Bowes, an international business services company.
In some cases, the expected merger never happened, but other companies stepped in to purchase the target firm, or in one case, a newspaper leaked details of the possible acquisition after the hackers had already purchased shares, resulting in massive financial windfalls.
Prior to the expected buyout dates, the defendants typically bought hundreds of thousands of shares, and saw the prices surge as high as double the original purchase price, resulting in profits of more than a million dollars in one case and hundreds of thousands of dollars in others.
The gang allegedly broke into the law firm’s servers in one instance with the stolen credentials of a single employee, but then installed malware to spread their influence and control to other machines and get information on the attorneys working on the biggest buyout deals.
The hackers, who also ran a robotics business, also allegedly breached the servers of several companies in the robotics space to steal details about proprietary information “concerning the technology and design of consumer robotic products, including detailed and confidential proprietary design schematics.”