FIN4: The Insider Threat to Market Confidentiality
- Suspected Origin
- Unknown
- Motivation
- Financial Gain
- Aliases
- None documented
- Target Sectors
- Healthcare, Pharmaceutical, Financial Services, Legal, Investment Advisory
- Associated Malware
- Credential harvesting tools, custom .NET keylogger, VBA macros, fake login pages, Tor
Overview
FIN4, tracked as MITRE ATT&CK group G0085, is a sophisticated, financially-motivated threat group that has been active since at least 2013, systematically targeting confidential information related to the public financial market. Unlike many threat actors who rely on deploying persistent malware, FIN4 distinguishes itself by focusing almost exclusively on capturing credentials to gain access to email and other non-public correspondence. Their primary objective is to acquire insider information, particularly concerning mergers and acquisitions (M&A), clinical trial results, regulatory decisions, and other market-moving events, which they can then leverage for illegal stock market trading.
The group’s targets are highly specific, including C-level executives (CEO, CFO, COO), legal counsel, regulatory, risk, and compliance personnel, and other individuals within public companies and their advisory firms who regularly handle sensitive, market-impacting information. Over two-thirds of their reported targets have been in the healthcare and pharmaceutical sectors, likely due to the significant stock market fluctuations often triggered by news in these industries. They have also targeted investment banking firms and legal firms that provide services to public companies, with most targeted public entities listed on the NASDAQ or NYSE.
Tactics & Techniques
FIN4’s modus operandi centers on highly effective social engineering and credential harvesting, making their attacks difficult to detect. Their initial access typically involves meticulously crafted spearphishing emails. These emails are often sent from compromised accounts, lending them an air of legitimacy, and are designed to lure victims into opening weaponized documents or clicking malicious links.
A common tactic involves embedding malicious Visual Basic for Applications (VBA) macros within seemingly legitimate Microsoft Word or Excel documents. When opened, these macros display convincing, spoofed Windows Security or Outlook dialog boxes, prompting the user to enter their Outlook credentials, often claiming the session has expired. These fake prompts sometimes even incorporate the victim company’s logo to enhance their authenticity. Once credentials are entered, they are transmitted to a command-and-control (C2) server.
Alternatively, FIN4 utilizes spearphishing emails containing links that direct victims to fake Outlook Web App (OWA) login pages, specifically designed to capture credentials. They have also been observed presenting victims with spoofed Windows Authentication prompts. The malicious emails themselves are notable for being written by native English speakers with a sophisticated understanding of investment terminology, further increasing their deceptive power.
Upon successfully obtaining credentials, FIN4 directly logs into the victim’s email accounts. They often use Tor for anonymous access to these compromised accounts, obscuring their true origin. To maintain access and hinder detection, FIN4 creates rules within victims’ Microsoft Outlook accounts. These rules are designed to automatically delete emails containing keywords such as “hacked,” “phish,” and “malware,” thereby preventing organizations from communicating internally about the ongoing compromise. Data exfiltration is typically performed using HTTP POST requests.
Notable Campaigns
FIN4 first gained significant public attention with FireEye’s “Hacking The Street” report in December 2014. This pivotal report detailed FIN4’s operations since at least mid-2013 and linked them to attacks against more than 100 organizations, predominantly public healthcare and pharmaceutical companies, as well as their advisory firms. The report highlighted the unprecedented nature of a sophisticated threat actor systematically acquiring information with direct value for stock market manipulation.
The severity of FIN4’s activities prompted a rare investigation by the U.S. Securities and Exchange Commission (SEC) in 2015. The SEC reportedly contacted at least eight public companies to gather information regarding data breaches tied to FIN4, underscoring the significant financial and regulatory implications of the group’s operations. These investigations, along with further scrutiny from the U.S. Secret Service, were directly spurred by FireEye’s findings.
The common thread throughout these incidents was FIN4’s unwavering focus on acquiring pre-release information, such as non-public details about M&A deals, clinical trial outcomes, or regulatory approvals, which could drastically influence stock prices. They often targeted multiple individuals involved in a single deal to maximize their chances of success.
Associated Malware & Tools
It’s crucial to reiterate that FIN4’s strategy largely eschews traditional, persistent malware. Instead, their toolkit primarily consists of methods for credential theft and leveraging legitimate access. The “malware” they do employ is typically focused and tactical:
- VBA Macros: These are embedded in weaponized documents to present fake credential prompts and harvest user inputs.
- Fake Login Pages: Specifically, spoofed Outlook Web App (OWA) login portals and Windows Authentication prompts are used to trick victims into divulging their credentials.
- .NET-based Keylogger: While they generally avoid “typical persistent malware,” they have been known to deploy a .NET-based keylogger to capture user input.
- Tor: The group uses the Tor anonymity network to log into compromised email accounts, making it harder to trace their activities.
- Outlook Rules: Used post-compromise for defense evasion, these legitimate email client features are weaponized to automatically delete suspicious emails, effectively self-censoring alerts about their presence.
Their approach emphasizes minimal footprint and the exploitation of legitimate access, making traditional endpoint detection less effective without robust credential hygiene and user awareness training.
Current Status
FIN4 remains a tracked threat group, with its MITRE ATT&CK profile last modified in November 2024, indicating continued relevance in the threat intelligence landscape. While specific, widely publicized incidents attributed to FIN4 have not been as frequent in recent years compared to the 2014-2015 timeframe, this does not necessarily mean the group has ceased operations. Their low-footprint, credential-focused methodology inherently makes them challenging to detect and publicly report on.
The enduring value of insider trading information ensures that the motivation behind FIN4’s activities remains strong. Organizations in the financial, healthcare, and pharmaceutical sectors, particularly those involved in M&A activities or sensitive intellectual property, should consider FIN4 an ongoing and significant threat. Their reliance on social engineering and legitimate credentials highlights the critical importance of robust multi-factor authentication, advanced email security, and comprehensive security awareness training to defend against such adept and motivated adversaries.
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call