FBI Bulletin: Criminals Hacking Law Firms to Steal Information for Insider Trading

The following document was obtained from the public website of a U.S. law firm.

"Criminal-Seeking-Hacker" Requests Network Breach for Insider Trading Operation

Page Count: 2 pages
Date: March 4, 2016
Restriction: TLP: AMBER
Originating Organization: Federal Bureau of Investigation, Cyber Divison
File Type: pdf
File Size: 445,285 bytes
File Hash (SHA-256): AC2D43CC8674D11DBB95208432553C914588C04BF3679D508AFB2D5634EB773A

Download File

A financially motivated cyber crime insider trading scheme targets international law firm information used to facilitate business ventures. The scheme involves a hacker compromising the law firm’s computer networks and monitoring them for material, non-public information (MNPI). This information, gained prior to a public announcement, is then used by a criminal with international stock market expertise to strategically place bids and generate a monetary profit.


In a recent cyber criminal forum post, a criminal actor posted an advertisement to hire a technically proficient hacker for the purposes of gaining sustained access to the networks of multiple international law firms. The criminal provided search criteria for industry-specific information for the hackers to locate within the networks. This information when interpreted by an industry expert can contribute to an insider trading scheme.


Historically, industries targeted by cybercriminals have discovered that their networks were susceptible to intrusion due to lack of adherence to network security industry standards.

Measures to deter unauthorized access to a company network:

  • Educate personnel on appropriate preventative and reactive actions to known criminal schemes and social engineering threats, including how employees should respond in their respective position and environment.
  • Scrutinize links contained in e-mails, and do not open attachments included in unsolicited e-mails.
  • Disable macros. Be careful of pop-ups from attachments that require users to enable them.
  • Only download software – especially free software – from known and trusted sites
  • Create a centralized Information Technology e-mail account for employees to report suspicious emails.
  • Change network default passwords, configurations, and encryption keys. Use strong passwords.
  • Recommend your company’s IT professional(s) review, test, and certify the need/compatibility of a patch or update prior to installing it onto the operating system or software.
  • Monitor employee logins that occur outside of normal business hours.
  • Restrict access to the Internet on systems handling sensitive information.
  • Install and regularly update anti-malware solutions, software, operating systems, remote management applications, and hardware.
  • Do not use the same login and password for multiple platforms, servers, or networks.
  • Monitor unusual traffic, especially over non-standard ports. Close unused ports.
  • Monitor outgoing data, and be willing to block unknown IP addresses.
  • Isolate sensitive information within the network.
  • Only allow required processes to run on systems handling sensitive information.
  • Implement two-factor authentication for access to sensitive systems.
  • Ensure proper firewall rules are in place.
  • Be aware of the corporate footprint and persona facing the Internet. Conduct searches using multiple search engines on multiple Internet domains of company names, Web addresses, key personnel, and projects to determine if there is an accidental weak point in the network security. Conduct infrastructure look-ups in the public domains to ensure additional information is not inadvertently advertised.

Share this: