美國新型黑客運用華爾街行話行騙
SAN FRANCISCO — For more than a year, a group of cybercriminals has been pilfering email correspondence from more than 100 organizations — the vast majority publicly traded health care or pharmaceutical companies — in apparent pursuit of information significant enough to affect global financial markets.
舊金山——一個網絡犯罪團伙在一年多的時間裏竊取了100多個組織的電子郵件,這些組織中絕大多數是醫療保健或製藥上市公司,犯罪團伙明顯是在尋求足以對全球金融市場產生重大影響的信息。The group's activities, detailed in a report released Monday by FireEye, the Silicon Valley security company, shed light on a new breed of criminals intent on using their hacking skills to gain a market edge in the pharmaceutical industry, where news of clinical trials, regulatory decisions or safety or legal issues can affect a company's stock price.
本週一,硅谷安全公司FireEye發佈了一份報告,詳細描述了這個犯罪團伙的活動,揭示了一種新的犯罪意圖,即利用黑客技術來獲得醫藥行業中的市場優勢。在這個行業中,臨牀試驗消息、監管決定,以及安全或法律問題,可能會對公司的股價產生影響。
Starting in mid-2013, FireEye began responding to intrusions at publicly traded companies — two-thirds of them, it said, in the health care and pharmaceutical sector — as well as advisory firms, such as investment banking offices or companies that provide legal or compliance services.
從2013年中期開始,FireEye開始應對上市公司以及諮詢公司遭受入侵的情況。它說,這些上市公司中三分之二都屬於醫療保健和製藥業,此外還有諮詢機構,比如投資銀行辦事處,或者提供法律或合規服務的公司。
The attackers, whom FireEye named “Fin4” because of their focus on the financial sector, appear to be native English speakers, based in North America or Western Europe, who are well-versed in the Wall Street vernacular. Their email lures are precisely tailored toward each victim, written in flawless English and carefully worded to sound as if they were sent by someone with an extensive background in investment banking and with knowledge of the terms those in the industry employ.
由於這些攻擊者側重於金融業目標,FireEye稱他們爲“Fin4”,這些人似乎母語是英語,總部設在北美和西歐,精通華爾街行話。他們給每名受害者發送的電郵誘餌,都進行過精準的度身定製,使用了完美的英語、謹慎的措辭,看起來像是出自一位精通投資銀行業務,諳熟業內術語的人之手。Different groups of victims — frequently including top-level executives; legal counsel; regulatory, risk and compliance officers; researchers; and scientists — are sent different emails. Some senior executives have been duped into clicking on links sent from the accounts of longtime clients, in which the supposed client reveals that they found an employee's negative comments about the executive in an investment forum.
不同羣體的受害者——包括最高層級的管理人員;法律顧問;監管、風險與合規管理者;研究人員;科學家——收到了不同的郵件。一些受騙的高管點擊了長期客戶賬號發來的鏈接,因爲這些所謂的客戶說,他們發現一名員工在投資論壇上發佈了有關該高管的的負面評論。In other cases, attackers have used confidential company documents, which they had previously stolen, as aids in their deception. In some incidents, the attackers have simply embedded generic investment reports in their emails.
還有些時候,攻擊者使用他們以前盜取的公司機密文件,來讓圈套顯得真實可信。有時候攻擊者只是把一般性的投資報告嵌入電子郵件。In each case, the links or attachments redirect their victim to a fake email login page, designed to steal the victim's credentials, so that the attacker can log into and read the contents of their emails.
無論是哪種情況,這些鏈接或附件都會把受害者帶到假冒的電子郵件登錄頁面,以便竊取受害者的賬號密碼,這樣一來,攻擊者就可以登錄並閱讀他們的電郵內容了。The Fin4 attackers maintain a light footprint. Unlike other well-documented attacks originating in China or Russia, the attackers do not use malware to crawl further and further into an organization's computer servers and infrastructure. They simply read a person's emails, and set rules for the infiltrated inboxes to automatically delete any email that contains words such as “hacked,” “phished,” or “malware,” to increase the time before their victims learn their accounts have been compromised.
Fin4攻擊者的活動比較輕量級。與來自中國和俄羅斯的那種證據充分的攻擊不同,Fin4並沒有使用惡意軟件深入一個組織的計算機服務器和基礎設施,他們只是查看人們的電郵,並設置收件箱的過濾規則,自動刪除包含“黑客”、“釣魚攻擊”或“惡意軟件”等詞語的郵件,以便拖延受害者發現自己電郵賬戶被侵入的時間。“Given the types of people they are targeting, they don't need to go into the environment; the senior roles they target have enough juicy information in their inbox,” said Jen Weedon, a FireEye threat intelligence manager. “They are after information protected by attorney-client privilege, safety reports, internal documents about investigations and audits.”
“從他們攻擊的目標人羣的類型來看,他們並不需要擴大活動範圍;高級主管收件箱中的信息,就已經足夠有料了,”FireEye威脅情報經理延·威登(Jen Weedon)說。“他們的目標是律師-委託人之間的機密信息、安全報告,內部調查和審計文件的信息。”Because the attackers do not deploy malware, and communicate in correct English, they can be tricky to track. Weedon said FireEye first began responding to Fin4 attacks in mid-2013 but did not put together its findings until five months ago, when a few of its analysts concluded the attacks did not appear to be the work of familiar attackers in Russia or China, and warranted further investigation.
由於攻擊者並不部署惡意軟件,並且是用規範的英語交流的,跟蹤他們可能會非常困難。威登表示,FireEye第一次開始應對Fin4的攻擊是在2013年的年中,但直到五個月前,當公司的幾名分析師得出結論,說攻擊似乎不是出自俄羅斯或中國那些熟悉的黑客之手,需要做進一步調查時,FireEye纔對這些發現有了一個整體把握。FireEye would not name the victims, citing nondisclosure agreements with its clients, but said that all but three of the affected organizations are publicly listed on the New York Stock Exchange or Nasdaq, while the others are listed on exchanges outside the United States.
FireEye不會公佈受害者的名字,理由是與客戶簽訂了保密協議,但它表示,遭到入侵的公司中,只有三家是在紐約證券交易所或納斯達克上市的,其他都是其他國家的上市公司。Half of these companies fall into the biotechnology sector; 13 percent sell medical devices; 12 percent sell medical instruments and equipment; 10 percent manufacture drugs; and a small minority of targets include medical diagnostics and research organizations, health care providers and organizations that offer health care planning services.
這些公司中有一半屬於生物技術領域;13%銷售醫療器械;12%出售的醫療儀器和設備;10%製造藥品;還有少量醫療診斷和研究機構、醫療保健提供者,以及醫療保健計劃服務機構。FireEye said it had notified the victims, as well as the FBI, but did not know whether other organizations like the Securities and Exchange Commission were investigating.
FireEye說自己已經通知了受害者和聯邦調查局,但不知道其他機構,比如美國證券交易委員會(Securities and Exchange Commission,簡稱SEC)是否會調查此事。Representatives of the FBI declined to comment. Representatives of the SEC did not respond to requests for comment.
聯邦調查局的代表拒絕發表評論。SEC的代表沒有回覆記者的置評請求。Weedon said that FireEye had not had time to assess the effects of the breaches to see whether the attackers had benefited financially.
威登表示,FireEye沒有時間來評估這些攻擊的影響,因此不瞭解襲擊者是否獲得了經濟利益。In each case, attackers logged into their victim's email accounts using Tor, the anonymity software that routes Web traffic through Internet Protocol addresses around the globe, which can make it difficult, but not impossible, to trace their origins. Last month, the FBI seized dozens of criminal websites operating on the Tor network, in the largest operation of its kind.
每次攻擊時,Fin4都使用了Tor來登陸受害者的電子郵件帳戶。Tor是個匿名軟件,用世界各地的IP地址來中轉網絡數據往來,所以要追蹤Fin4的攻擊源頭很困難,但也並非不可能。上個月,聯邦調查局查出了數十個在Tor網絡上運作的犯罪網站,是類似行動中規模的最大一次。“We don't have specific attribution, but we feel strongly this is the work of Americans or Western Europeans who have worked in the investment banking industry here in the United States,” Weedon said. “But it's hard because we don't have pictures of guys at their keyboards, just that they are native English speakers who can inject themselves seamlessly into email threads.”
“我們尚未找到具體源頭,但我們認爲攻擊者有很大的可能是美國人或者西歐人,曾在美國的投資銀行業工作過,”威登說。“但找到他們很難,因爲我們沒有可以辨識出這些人的確鑿證據,只知道他們的母語是英語,可以天衣無縫地捏造電郵。”Weedon added, “If it's not an American, it is someone who has been involved in the investment banking community and knows its colloquialisms really well.”
威登補充說,“做這些事的就算不是美國人,也與投資銀行界有密切聯繫,而且非常熟悉這個圈子的行話。”
