Why do hackers steal trading algorithms for hedge funds and HFT companies?

Image: Russ Allison Loar , CC BY 2.0

After the break, the ITinvest blog returns to Habr. We have previously talked about how hackers attack exchanges and financial companies to steal insider information. However, often malefactors are not limited to stealing financial data and seek to seize the trading algorithms that hedge funds and HFT firms use to trade on the exchange.
')

Theft of the algorithm: why it is needed

Representatives of companies from the field of information security in 2015 told reporters about the cases of hacking of hedge fund systems and HFT firms in order to steal trading algorithms.

In particular, representatives of the information security vendor Kroll reported on several instances of attempts to steal trade algorithms — that is, programs that are used for automated trading operations on financial markets. At the same time, it was possible to prevent the leakage of algorithms in two cases; in one, the attack was successful. Also participating in the analysis of the security incident associated with the theft of trading algorithms, said the company FireEye.

Attacks aimed at stealing trading algorithms are rarely carried out with the aim of using program code for direct trading on the exchange. Much more often in the case of a successful hack, attackers can offer to return the stolen algorithms for a reward, threatening to publish data about the attack - this always provokes panic among the clients of the financial company.

According to information security experts, such attacks are quite laborious and rare. And they happen mainly for the sake of extortion, because it will be difficult to apply information and especially code for trading, although this is possible, although in such cases the threat most often comes from unscrupulous employees of financial companies.

For example, in the winter of 2015, Two Sigma hedge funds located on Manhattan’s former hedge funds Two Sigma Kang Gao (Kang Gao) were charged - according to published documents, his employment contract prohibited access to trading strategies and financial models, but despite this the employee sent such files to yourself by email. Subsequently, he intended to launch his own HFT firm.

How attacks are carried out

Representatives of companies engaged in information security, do not publish the names of companies whose trading algorithms were trying to steal hackers. However, Kroll researcher Ernest Gilbert said in a conversation with a Financial Times journalist that financial companies are “an attractive target for hackers,” because not all of them implement tools and approaches to ensure information security, such as network segmentation and traffic monitoring.

Often, an attacker does not have to invent sophisticated ways of hacking - the weakest link is most often employees of a company who can open a letter with a malicious attachment. At the same time, it is possible to reduce the likelihood of successful attacks by restricting access to intellectual property, including by IP addresses, as well as by monitoring outgoing and incoming traffic using modern analyzers, Gilbert is convinced.

At the same time, in the risk zone, not only trading algorithms, but also insider information (including company news) - criminals are interested in everything that can give an advantage to a competitor of a financial company or another trader. The development of modern black markets and cryptocurrency exacerbates the situation - white-collar workers, dissatisfied with the company's earnings, and criminals can easily find each other here and turn serious frauds.

Not so bad

We have already compared the security level of banks and stock exchanges in terms of the quantity and quality of hacker attacks and concluded that attacks on stock exchanges and brokerage companies are relatively rare. If hacking and hacking attempts are considered to be quite commonplace in the banking sector, then each story with an attack on the stock exchange causes a serious public outcry (subject to leakage of information about the incident to the press).

Security systems on the Russian stock exchanges are built quite well. In 2015, our own information security center was established here, actively exchanging information with banks and stock exchanges. In 2016, the Moscow Exchange was forced to completely switch to a new information architecture and upgrade equipment to minimize losses from technical failures.

If we talk about the security of a brokerage account of a particular person in comparison with a bank account, then the likelihood of hacking exists always - theoretically, an attacker can access it by stealing encryption keys and a password (for example, using a spyware program).

At the same time, it will be much more difficult to withdraw and withdraw funds - the fraudster will have to start manipulating the securities, selling or buying them from the victim’s brokerage account at unprofitable prices. However, this requires serious skills in financial markets that most hackers do not possess. The exchanges today limit the maximum range of price fluctuations during one trading session, so that an attacker is unlikely to be able to “withdraw” any serious amount from his account.

In addition, to minimize potential damage, brokerage companies are developing various customer protection systems. How this protection is implemented in the ITinvest MatriX trading system can be found here.

Other materials on finance and stock market from ITinvest :

• ITinvest educational resources
• Analytics and market reviews
• Big Jackpot: Why hackers attack SWIFT financial transfer system
• Lazarus: Who is behind the attacks on the SWIFT bank transfer system
• How Russian hackers have robbed the Nasdaq
• Russian hackers hacked Dow Jones and seized insider information