Three Chinese citizens were charged on Tuesday by U.S. authorities who said the group attempted to hack into two New York-based international law firms as part of an alleged insider-trading conspiracy to profit on stolen corporate secrets. They made nearly $3 million, according to an indictment filed by the U.S. Securities and Exchange Commission.
In addition to criminal charges filed by the Department of Justice, the Securities and Exchange Commission also filed civil charges — the first time the financial regulator has done so in relation to a hack on a law firm’s computer network. It is far from the first time law firms have been targeted, however. For years they have been high-value targets for hackers because they necessarily traffic in confidential information from clients, whether they are wealthy corporations, powerful politicians or individuals of note.
Law firms also are relatively “soft” targets from a cybersecurity perspective, said Ari Schwartz, a former senior director for cybersecurity on the National Security Council staff at the White House, during an interview in a September.
Iat Hong, Bo Zheng and Chin Hung were charged in a Manhattan federal court with insider trading conspiracies, wire fraud and computer intrusion. The alleged hackers installed malware on the firms’ networks, gained access to all email accounts and copied gigabytes of emails. They targeted attorneys involved in mergers and acquisitions.
The U.S. government is currently seeking the extradition of Hong, who was arrested on Sunday in Hong Kong. The other defendants are not in custody.
The stolen information was allegedly used to purchase shares in at least three public companies ahead of major merger agreements including spending $7.5 million in one month on shares in the semiconductor company Altera Inc. before it was in talks to be acquired by Intel. By the end of 2015, the merger was made for $16.7 billion. The defendants allegedly made $1.67 million from their trading.
“We used enhanced trading surveillance and analysis capabilities that we developed over the last few years to identify the broad scope of the defendants’ alleged scheme, including the use of both U.S. and offshore accounts to carry it out,” Stephanie Avakian, Acting Director of the SEC’s Enforcement Division, said in a statement.
The hackers repeatedly targeted the firms’ IT employees first, according to the SEC, and used that access to target at will everyone else inside the firm.
The defendants allegedly began the scheme in 2014. They explained it to one another in a PowerPoint presentation titled “Internal Information of US Stock Operations.” In one slide, Zheng wrote that “we should focus on a company’s M&A [mergers and acquisitions] news which would usually cause the stock price to fluctuate significantly within a short period.” The same presentation indicated that the hacking of confidential information had already begun by indicating a tech firm’s as-yet unannounced new technology.
The targeting of law firms also has been an increasingly common tactic in international relations and espionage, especially during trade negotiations and in multinational lawsuits. In 2016, 11.5 million documents were stolen via data breach from Mossack Fonseca, a law firm and corporate service provider. The subsequent “Panama Papers” leak revealed confidential financial information about wealthy individuals and public officials around the globe.