For about two years, US hedge funds have been under stealthy attacks from cyber-criminals intent on intercepting trading strategies in order to profit from front-running and other illicit maneuvers, cyber-security experts say.
That hidden cyber-crime trend was highlighted Thursday when an unnamed US-based hedge fund was reported to have been hacked and its stream of high-speed trade data intercepted by cyber-criminals. They, in turn, apparently used the data to make their own trades first, according to a British cyber-security company.
The criminals inserted malware onto the hedge fund trading system platform that in turn caused an almost imperceptible microsecond or two delay to each of the speedy trades – enough to allow the criminals to do their own trading ahead of the company, BAE Systems Applied Intelligence experts said.
"It's pretty amazing," Paul Henninger, global product director at BAE Systems, told CNBC, which first reported the attack. "The level of business sophistication involved as opposed to technical sophistication involved was something we had not seen before."
The just-disclosed hedge fund attack started in late 2013 with hackers sending a "spear phishing" e-mail that, once opened, installed malware onto the hedge fund's servers, BAE Systems officials said. The spear phishing e-mails appeared related to developments in the capital markets industry.
But even if the BAE disclosure was unusual in its sophistication, it was actually just one of many cases, part of a wave of largely unseen cyber-attacks targeting hedge funds over the past two years, say cyber-security experts.
Officials at eSentire, an Ontario-based cyber-security firm that specializes in securing US hedge funds, private equity firms, and other boutique financial companies, say they have seen phishing attacks directed at hedge funds roughly double between February 2013 and January 2014.
Aside from ongoing daily attacks against company hedge fund clients, Eldon Sprickerhoff, chief security strategist for eSentire, says he has personally seen “en masse attacks against 20 hedge funds [in the top 50] at once." The criminals are using social media, every public resource, to figure out whom to hit next, he says. [Editors' Note: Mr. Sprickerhoff's comment has been modified to clarify what he intended to say about hedge fund attacks.]
So-called “watering hole” attacks, which involve planting malware on hedge fund law blogs and back-office sites used by hedge fund workers, are another key means of gaining a foothold on hedge fund networks, he says. Those clicking on the law blog to find out the most recent legal or regulatory information are unwittingly depositing malware on their network.
Others suggest the cyber-crime surge on hedge funds has a longer history.
“We’ve seen an uptick in cyber-criminals targeting their attacks on hedge funds for about two years now,” says Tom Kellerman, chief cyber-security officer for Trend Micro. “This high frequency trading scheme is unique and sophisticated. But most are less sophisticated attacks with the goal of infiltrating e-mail, secure messaging and smart phones.”
His estimate of two years is based, in part, on meetings with hedge fund officials over the past three years. Based on that anecdotal information, he estimates perhaps 25 percent of major hedge funds have adequate cyber-security protection. The rest are “low-hanging fruit for cyber-criminals to pursue.”
A key reason is that hedge funds tend to be smaller financial organizations that may not have security personnel on staff – and may also feel they are too small, or their operations too obscure and hidden, to attract the attention of cyber-criminals, Mr. Kellerman and others say. In fact, it may make them more of a target since it’s vulnerability, not size, that matters most to the criminals.
Hedge funds are big business packaged in the form of a bunch of small firms. In a July report to Congress, the SEC reported there were 6,683 hedge funds with more than $4 trillion in assets. Approximately 4,000 hedge fund advisers are now registered with the SEC.
Despite that industry size, many modest-sized hedge funds with perhaps a few billion in assets have experienced torrid growth, yet haven’t boosted cyber-security since they were startups operating from a spare bedroom, experts say.
“Major financial institutions have definitely ramped up cyber-security to fight off eastern European cyber-crime groups,” Mr. Kellerman says. “But many of these smaller hedge funds have not done the same. So now the criminals have become aware there is far more money in market manipulation, and it’s easier, than in stealing from the banks – if they can just understand the markets themselves and get that insider information.”
Federal regulators seem also to have realized hedge funds are in the cyber-crime cross hairs. In January, the Securities and Exchange Commission (SEC) announced it would be tightening cyber-security requirements for financial firms, including hedge funds. Following a cyber-security roundtable in March, the SEC's Office of Compliance Inspections and Examinations published a risk alert announcing its “Cybersecurity Initiative.”
Under the initiative, the office will examine more than 50 registered broker-dealers and investment advisers with a focus on cyber-security identifying risks; protecting networks and information; handling risks with remote customer access and funds transfers; detecting unauthorized activity and identifying experiences with cyber-security threats.
At the same time, the FBI has requested that companies come forward to share their information. But that’s still not happening much, especially among privately held hedge funds, which tend to deal with cyber-attacks quietly to avoid damage to their reputations.
“Obviously the attackers are going where the money is – and where there is the least oversight – which is why hedge funds became a prime target in the first place,” says Samuel Bucholtz, managing partner at Casaba Security, a Redmond, Wash.-based consulting firm with financial industry clients.
“Most of these hedge funds, if they even do detect it, just want to fix it and move on,” he adds. “The last thing they want is for someone to know they got hacked. Because of that, it’s been a lot harder for the FBI to investigate. Now that’s changing, and regulators are starting to look closer at what’s going on.”