A security consulting firm has discovered a sophisticated hacking campaign that has targeted more than 100 public companies, investment banks and law firms. In a report released December 1, cybersecurity firm FireEye described a pattern of intrusions in U.S. targets by a group they dubbed “FIN4,” which appeared to be seeking insider information for financial gain.

FIN4’s attacks are notable for their sophistication. According to FireEye, the group demonstrated an in-depth knowledge of their targets, first selecting individuals who may have access to inside information, then sending high-quality emails designed to lure the recipients into clicking a link or opening a document, which would yield a spurious login prompt meant to elicit the victim’s email credentials. With these credentials, the group could gather intelligence on pending transactions, both for a trading advantage and to improve their attacks against future targets. In some cases, FIN4 downloaded transaction documents from these compromised email accounts, embedded macros meant to gather additional email credentials and sent the files to others from the original compromised account.

FireEye described FIN4’s attacks as primarily targeting publicly traded life sciences companies, with an emphasis on the biotechnology, medical device and pharmaceutical industries. The group also targeted other publicly-traded companies and third-party advisory firms, such as investment banks, law firms and consultants. While mergers and acquisitions activity was a major focus of the attacks, FIN4 also sought inside information on price-relevant developments like clinical outcomes, Medicaid rebates and significant litigation.

FIN4 remains active, and its exploits will only encourage other “spearphishing” attacks in the future. Firms can take specific technical steps (such as disabling the execution of certain scripts) to reduce the risk from the FIN4 attacks themselves, but a strong defense requires a comprehensive approach. A first step is to learn from FIN4’s example that even plausible, well-written messages from colleagues or counterparties may not be what they seem.

For a copy of the FireEye report, click here.