SEC: The EDGAR Hack Is Phase 2 of the Newswire Breaches
The SEC is the agency charged with monitoring cyber-security, internal controls and similar corporate matters. The agency has issued guidance on cyber-security. It is thus more than ironic that the Commission became a victim of hackers who breached EDGAR, the corporate filing system for the agency. At the same time the breach illustrates what the Commission has always said about compliance systems – the best can be breached. Whether the SEC’s was the best, however, is not the question. It was breached, and the information obtained was used to generate over $4 million in insider trading profits. That breach resulted in an action by the Commission and the U.S. Attorney’s Office. SEC v. Ieremenko, Civil Action No. 2:19-cv-00505 (D.N.Y. Filed Jan. 15, 2019); U.S. v Ieremenko (D. N.J. Filed Jan 15, 2019).
The Commission’s action names nine as defendants: Oleksandr Ieremenko of Kiev, Ukrane; Spirit Trade, Ltd., Hong Kong; Sungjin Cho, Los Angeles; David Kwon, Los Angeles; Igor Sabodakha, Kiev, Ukraine; Victoria Vorochek, Luhans’ka Oblast, Ukraine; Ivan Olefir, Luhans’ka Oblast, Ukraine; Capylield Systems, Ltd., Belize City, Belize; and Andrey Sarafanov, Moskva, Russian Federation. The 16 count criminal indictment names as defendants Artem Radchenko and Oleksandr Ieremenko, both of Kiev, Ukraine.
Defendant Ieremenko is an international hacker charged with having breached three newswire services to secure inside information for trading along with a number of others. See SEC v. Dubovoy, Civil Action No 2:150cv006076 (D. N.J.); U.S. v. Turchynov, No. 2:15-cv-00390 (D.N.J.); U.S. v. Korchevsky, No. 1:150-cr-00381 (E.D.N.Y.). The EDGAR hack is just the next phase of those actions, according to the SEC’s complaint.
The scheme was launched by Mr. Ieremenko and others in the spring of 2016. Common hacking techniques were used to search for access to material nonpublic information in EDGAR. The focus was to access test filings – those made by issuers which are not intended to become public. Rather, they are often made prior to the actual filing to ensure that format and other matters are correct. The test filings, accordingly, often contain information which is material and non-public.
To breach EDGAR the hackers sent a series of malicious emails to sec.gov email addresses. The “emails were spoofed to appear as if they were being sent by SEC security personnel . . .[they] contained malware-infected documents . . .” The efforts successfully infected several SEC computer workstations.
To infect the workstations Mr. Ieremenko used a Romanian IP address he had employed during the newswire hacks. He also used the same web browser – a point evidenced by the fact that both intrusions involved an identical user agent string. Stated differently, the hacker left his signature.
Hacker Ieremenko first successfully accessed a test file on EDGAR on May 3, 3016. . He began manually exfiltrating electronic copies of test filings. Obtaining this information was the initial focus of the scheme.
The next day Mr. Ieremenko began using “deceptive hacking techniques” at 1:09 PM ET to access and exfiltrate a test filing for Issuer 1 from EDGAR. The test filing contained negative, material nonpublic information about the NYSE listed firm’s financial results. That information was apparently passed to one or more individuals at Spirit Trade. Between 2:57 PM and 3:59 PM ET that firm, controlled by Individual 1 who is a veteran of the newswire scheme, sold short 5,500 shares of Issuer I stock. Shortly after the trades were placed the market closed. Issuer 1 released the financial information and the stock price declined. The next morning Spirit Trade closed its position, yielding profits of $9,185 in gross profits. The pattern was repeated several times during May 2016, generating $496,740 in gross illegal trading profits tied to the filings of seventeen issuers.
Beginning in mid-May 2016 Mr. Ieremenko, or others, expanded the scheme. Specifically, an “Exfiltration Machine” was deployed – a server with a program. That server was able to automatically exfiltrate test files, a process initially done manually. This permitted Mr. Ieremenko “to obtain hacked test filings on a greater scale . . . more traders began to monetize the information” – that is, trade on inside information. From at least May 2016 through at least October 20, 2016 Mr. Ieremenko worked with traders located in the United States, Ukraine, and Russia to monetize the information. Virtually all of the traders had participated in the newswire phase of the scheme. During this period one group traded about 369 times using test filings exfiltrated from EDGAR.
In October 2016 SEC IT personnel patched the EDGAR software “in response to a detected attack on the system. . .” Ieremenko could no longer access the system. Nevertheless, efforts to further compromise EDGAR continued until early the next year. Later Mr. Ieremenko boasted that he had successfully hacked specific newswire companies and “sec.gov.” The SEC’s complaint alleges violations of Securities Act section 17(a) and Exchange Act section 10(b). The indictment contains counts alleging conspiracy, wire fraud, securities fraud and computer fraud. Both cases are pending.