Criminals have successfully attacked a hedge fund, delaying trades and stealing profitable secrets in a rare direct raid on the financial services sector, according to BAE Systems Applied Intelligence.
clever hack cost the unnamed US-based hedge fund millions of dollars
over two months, the firm alleges. Attackers apparently lifted
information on complex and high speed trades from the firm, then sent
the details to external servers using malware which implanted on the
The identity of the attackers is unknown, BAE product director Paul Henninger told CNBC, but the stolen data could be immensely profitable for smaller hedge firms looking for a leg up into the market.
assumption of espionage was given further weight because attackers
added slight delays to the time between the issuance and execution of
the victim's trades - a feat which lead to the discovery of the attacks
but may have provided a rival firm with a trading advantage.
Henninger said the attack occurred in January last year and was escalated to the company board.
was something that was getting reviewed at the board level of this
hedge fund precisely because it was having a material impact on
performance across the portfolio," Henninger said.
began with a successful spear phishing email against a staffer from
where malware was deployed to gain a foothold in the company.
did not know if the hack was reported to the Securities and Exchange
Commission or FBI and noted that the fund would have little incentive to
Attacks against hedge funds don't often make it onto the public record. In 2011, Cyber Engineering Services founder Joe Drissel tipped off one hedge fund that it was compromised after he discovered its stolen data on a hacked server.
The unnamed company, which initially laughed off the disclosure, later disconnected its entire enterprise network when Drissel sent its IT manager a copy of a stolen file.
Attackers had installed three trojans on the victims' machines which were undetected by anti-virus.
Security bods have since reported phishing emails targeted towards hedge funds that lured victims to open malicious documents purportedly discussing carried interest fees.