By: Allen Kogan
The 2016 presidential election forced foreign-backed hacker groups out of their comfortable seats in the dark corners of the internet and into front page news stories all across the country. Even today, the US media continues to regularly churn out report after report linking state-backed foreign hackers to everything from compromising voting machines to directly colluding with members of President Trump’s campaign. However, while most Americans remain steadily focused on Russian-backed hacking of government agencies, cybersecurity experts are growing increasingly concerned with a broader global increase in the targeting of American companies and other private-sector organizations. Though state-backed and private hackers often differ in their incentives, both groups are increasingly focused on the common goal of accessing confidential private-sector data to obtain proprietary corporate information and compromise US supply chains.
In only the most recent of numerous actions targeting cyber-exploitation for financial gain, the Securities & Exchange Commission (“SEC”) filed new civil charges against nine defendants for their alleged participation in a brazen scheme to hack the SEC’s own Electronic Data Gathering, Analysis, and Retrieval (“EDGAR”) system. The agency alleges that Ukraine’s Oleksandr Ieremenko, along with securities traders spanning across California, Ukraine, and Russia, developed a scheme to access non-public earnings reports and other corporate information on the EDGAR system to execute securities trades shortly before that information was released to the public.
Since 1996, the EDGAR system has served to automate “collection, validation, indexing, acceptance, and forwarding of submissions” by all domestic companies and certain individuals required to report financial information to the SEC. While not all corporate filings are processed through EDGAR and made available to the public, securities experts widely agree that prior knowledge of the type of corporate information which issubmitted through the system – i.e. earnings reports – can dramatically increase returns on securities trades when utilized effectively. The SEC routinely pursues those who supply and trade on such information under US insider trading laws.
The SEC’s complaint charges each defendant with violating anti-fraud laws under the Securities and Exchange Acts. Specifically, the complaint alleges that, as early as May 2016 and through at least October 2016, Ieremenko accessed EDGAR’s servers and stole non-public earnings results for numerous US companies before passing them along to other defendants, who then traded on that information. The complaint further alleges that the other defendants purchased or shorted securities on the stolen information in approximately 157 instances, profiting at least $4.1 million in the process. The SEC is seeking monetary relief as well as injunctive restrictions on the defendants’ future trading activities.
Notably, the complaint also alleges that this particular scheme was the second phase of an extended effort by these hackers to target non-public corporate data. The first phase involved cyber-attacks on newswire servers and resulted in a 2015 SEC action against thirty-two defendants, including Ieremenko and his co-defendant in the current action, Ukraine’s Artem Radchenko. That action also paralleled criminal charges in New Jersey and Brooklyn federal courts.
Similarly, the SEC’s current action parallels criminal charges filed by federal prosecutors in the District of New Jersey. There, a sixteen-count indictment provides even more detail, alleging that from February 2016 to March 2017, Ieremenko and Radchenko committed securities, wire, and computer fraud. Specifically, the indictment alleges that the defendants relied on directory traversal, phishing, and malware attacks to hack EDGAR’s servers, ultimately accessing corporate test filings which contained earnings information.
What makes this particular scheme particularly ironic is that EDGAR’s primary purpose is “to increase the efficiency and fairness of the securities market for the benefit of investors, corporations, and the economy” by expediting financial reporting and public access to time-sensitive financial information. In essence, these hackers are charged with undermining this exact goal by exploiting EDGAR to access that very same information prior to the public. Moreover, these charges further demonstrate that the SEC will pursue cyber-criminals who violate securities laws, even when they do so from abroad. Accordingly, those considering hacking any online database to trade on non-public information – let alone one belonging to the primary federal regulator of US securities markets – should instead put their skills towards legitimate uses. Naturally, the SEC does not take such acts lightly and, along with federal prosecutors, will vigorously pursue hackers who violate securities laws to the highest degree, regardless of where they reside.
SeeLucan Ahmad Way & Adam Casey, Russia has been meddling in foreign elections for decades. Has it made a difference?, Washington Post(Jan. 8, 2018), https://www.washingtonpost.com/news/monkey-cage/wp/2018/01/05/russia-has-been-meddling-in-foreign-elections-for-decades-has-it-made-a-difference/;see also, e.g., Russian Hacking and Influence in the U.S. Election, New York Times, https://www.nytimes.com/news-event/russian-election-hacking(last visited: Jan. 26, 2019) (dedicating an entire webpage exclusively to Russian-backed hacking and collusion).
See, e.g., Eileen Sullivan, et al., Here’s What We Learned From Roger Stone’s Indictment, NPR (Jan. 25, 2019), https://www.nytimes.com/2019/01/25/us/politics/roger-stone-indictment.html(reporting on the indictment of Trump campaign advisor Roger Stone).
See Bill Gertz, National Counterintelligence and Security Center warns of foreign hacking, The Washington Times(Jan. 9, 2019), https://www.washingtontimes.com/news/2019/jan/9/foreign-hacker-threat-grows-for-private-sector/.
 SeeSEC Brings Charges in Edgar Hacking Case, Sec. & Exch. Comm’n(Jan. 15, 2019), https://www.sec.gov/news/press-release/2019-1.
Seeid.; John Elliot, et al., The Association between Insider Trading and Information Announcements, 15 RAND J. of Econ.4 (Winter 1984), 521-36.
SeeNicolas Morgan, et al., Congress Targets SEC Insider Trading Rules, Law 360 (Jan. 30, 2019), https://www.law360.com/articles/1123848/congress-targets-sec-insider-trading-rules (nothing that approximately ten percent of the SEC’s annual enforcement actions involve insider trading allegations); see also, e.g., SEC Charges U.S. Congressman and Others with Insider Trading, Sec. & Exch. Comm’n(Aug. 8, 2018), https://www.sec.gov/news/press-release/2018-151(reporting on insider trading charges against Congressman Cameron Collins).
Sec. & Exch. Comm’n v. Ieremenko, D.E. 1, No. 19-CV-505 (D.N.J. Jan. 15, 2019), at 3.
SEC Charges 32 Defendants in Scheme to Trade on Hacked News Releases, Sec. & Exch. Comm’n(Aug. 11, 2015), https://www.sec.gov/news/pressrelease/2015-163.html.
SeeTwo Ukrainian Nationals Indicted in Computer Hacking and Securities Fraud Scheme Targeting U.S. Securities and Exchange Commission, Dep’t of Justice(Jan. 15, 2019), https://www.justice.gov/usao-nj/pr/two-ukrainian-nationals-indicted-computer-hacking-and-securities-fraud-scheme-targeting.
Important Information About Edgar, supranote 6.