Russian Hackers Made Millions by Stealing SEC Earning Reports

A Russian national working for a cybersecurity company has been extradited to the U.S. where he is being charged for hacking into computer networks of two U.S.-based filing agents used by multiple companies to file quarterly and annual earnings through the Securities and Exchange Commissions (SEC) system.

Along with other conspirators, the individual made millions of U.S. dollars by trading on the material non-public information (MNPI) stolen from the two filings agents.

Also Read: September 2021 PDPC Incidents and Undertaking: Lessons from the Cases

Stolen creds used for access

In a press release on Monday, the Department of Justice announced that 41-year old Vladislav Klyushin has been extradited to the U.S. from Switzerland, where he had been arrested on March 21.

“Klyushin is charged with conspiring to obtain unauthorized access to computers, and to commit wire fraud and securities fraud, and with obtaining unauthorized access to computers, wire fraud and securities fraud” – the U.S. Department of Justice

Klyushin was part of a larger group that used MNPI for trading in the securities of publicly traded companies for at least two years, between January 2018 and September 2020.

Four other Russians that have been charged but are currently at large, have been identified as Ivan Ermakov, Nikolai Rumiantcev, Mikhail Vladimirovich Irzak, and Igor Sergeevich Sladkov.

The defendants used compromised employee credentials to access the networks of the targeted filing agent and view or download data related to earnings of multiple companies, including SEC filings and press releases.

According to FBI Special Agent B.J. Kang, the intrusions were carried out through a VPN connection and the compromise of one of the two filing agents started in October 2017.

The intruders looked at documents from companies in various sectors of activity, among them being: IBM, Steel Dynamics, Avnet, Tesla, Box, Roku, Kohl’s Corporation, Datadog, Altra Industrial Motion Corp, The Nielsen Company.

Having information about a company’s performance before it became public, the individuals allegedly acted on it and “traded accordingly, in brokerage accounts held in their own names or in the names of others,” reads an affidavit from FBI special agent BJ Kang, specialized in investigating financial crimes.

Also Read: The 5 Important Things To Know In Security Pen Testing

A pentester and a Russian GRU officer involved

Of the five Russians charged, Klyushin, Ermakov, and Rumiantcev worked for a Moscow-based IT company called M-13, which provides penetration testing services and red team engagements, which test the defenses of an organization by simulating targeted attacks.

The three M-13 employees, all of them holding deputy general director positions, also offered investment services, asking investors 60% of the profit, the DoJ says.

According to the company website, among M-13’s customers are “the Administration of the President of the Russian Federation, the Government of the Russian Federation, federal ministries and departments, regional state executive bodies.”

The connection with the Russian government, however, is deeper than this as Ermakov is a former officer in the Russian Main Intelligence Directorate (GRU), the country’s military intelligence agency.

If arrested, Ermakov also faces older charges related to hacking and influence efforts targeting the 2016 U.S. elections. Furthermore, he is suspected to have played a part in hacking and disinformation operations regarding the international anti-doping agencies, sporting federations, and anti-doping officials.

As per charging documents, the scheme was very lucrative. In about a year, one of the defendants, Irzak, traded ahead of public announcements of about 150 companies with a success rate of 66%.

Between December 2019 and August 2020, one account used by Irzak generated profits of about $4.3 million from illegally trading ahead of earnings announcements of around 47 companies.

Klyushin is risking a maximum penalty of five years in prison, three years of supervised release, and a $250,000 fine for conspiring to get unauthorized access to computers, wire fraud, and securities fraud charges. The same maximum sentence is for the hacking activity.

Securities fraud and wire fraud, however, each carries a maximum sentence of 20 years in prison, three years of supervised release, and a $250,000 fine.