Money managers and other financial services firms are among those targeted by hackers in a “spear phishing” campaign against employees tasked with filing documents with the Securities and Exchange Commission, according to cybersecurity company FireEye.
All of the recipients of the attempts at “spear phishing” — emails that appear to come from a trusted source but link to malware that can obtain confidential information — are based in the U.S., according to a posting on FireEye’s website. The hacking campaign was first identified late last month.
The posting did not name the firms that had been targeted.
A financially motivated threat group called FIN7 is suspected of conducting the campaign, FireEye said. The sender address on the emails read “EDGAR ” with an attachment named “Important_Changes_to_Form10_K.doc”.
FireEye said the names of many of the recipients apparently were obtained from previous SEC filings.
On its website, the SEC said it “is aware of reports of malicious emails sent to some EDGAR filers that appear to be part of a phishing campaign to compromise company network systems and obtain access to non-public information. The malicious emails purport to be communications from the SEC about changes to Form 10-K and sometimes contain malicious attachments. Clicking on the attachment(s) results in an attempt to install malware designed to obtain unauthorized access to the recipient’s computer and/or network.”
The agency said it has not made any recent changes to Form 10-K “and has not notified filers that changes have been made. Such emails purporting to be from the SEC should be deleted and your network administrator or information security personnel should be notified.”
While the actual intent of the hacking campaign is not known, FireEye said, “we surmise FIN7 can profit from compromised organizations in several ways. If the attackers are attempting to compromise persons involved in SEC filings due to their information access, they may ultimately be pursuing securities fraud or other investment abuse. Alternatively, if they are tailoring their social engineering to these individuals, but have other goals once they have established a foothold, they may intend to pursue one of many other fraud types.”
Along with money managers, firms targeted insurance and banking firms as well as transportation, retail, education, information technology and electronics companies, FireEye said.