They say crime follows opportunity.
Computer security experts say hedge funds, with their vast pools of money and opaque nature, have become perfect targets for sophisticated cybercriminals. Over the past two years, experts say, hedge funds have fallen victim to targeted attacks. What makes them such ripe targets is that even as hedge funds expend millions in moving their trading operations online, they have not made the same investment in security.
Security experts say the crime is hardly new. “Hedge funds have been victims of targeted cyberattack over the past two years,” said Tom Kellermann, the chief cybersecurity officer at TrendMicro. “Hedge funds are woefully undersecured. The lack of investment in their cybersecurity has placed them in the line of fire.”
The first such attacks on capital markets, Mr. Kellermann said, began in 1999, right around the time brokerage houses began to move private computer networks online. Early on, the most common mode of attack was to hack into a broker’s account to steal user names and passwords so that hackers could trade securities under a victim’s name. More recently, the most common attack on the financial industry has been distributed denial of service or DDoS attacks on banks from hackers based in Iran.
But unlike the DDoS attacks, which are a costly nuisance, the attacks against hedge funds are more sophisticated and profitable, experts say. The hedge fund industry has grown enormously in recent years and many have moved to digital trading systems, which allow funds to profit by trading milliseconds faster.
By moving their trading operations online, though, funds have also become a target. “The cybercrime underground is cognizant that convergence in the securities market has fostered a fertile environment for fraud,” Mr. Kellermann said. “These attacks are conducted for the purpose of front-running market participants.”
Almost a decade ago, Mr. Kellermann wrote a report for the World Bank about financial fraud. The report outlined seven attack scenarios — all of which had been realized by 2005 — and warned that “certain costs and risks associated with the e-finance revolution have yet to be fully appreciated.”
Since then, Mr. Kellermann and others say the problem has only become worse. In addition to online trading swindles, in recent months numerous funds have been struck by Cryptolocker, the particularly vicious, so-called ransomware that encrypts infected users’ files and demands a ransom to unlock them. Often, security experts say, these crimes go unreported by victims who fear that law enforcement agencies will dig through their systems.
But increasingly, government officials are asking companies to step forward so that they can learn more about criminals’ tools, techniques and patterns. At the annual RSA security conference in San Francisco last February, James B. Comey, the director of the Federal Bureau of Investigation, asked companies to start disclosing attacks.
“We understand that you are reluctant to report intrusions, either because you’re worried the government will start rummaging around your networks or because you fear your reputation will take a hit in the marketplace,” he said. “We need to examine patterns and behaviors, to determine how they operate, and how best to stop them.”
An earlier version of this post, using information provided by BAE Systems, a computer security firm, incorrectly cited a cyberattack late last year against an unnamed hedge fund. BAE later acknowledged that the episode it reported was a simulation, not an actual event.