FireEye Report Identifies Highly-Sophisticated Cyber Threat Group Aiming to Cheat Wall Street

Year-long Investigation by FireEye Reveals FIN4 as a Potentially US-Based Group, Heavily Targeting Publicly Traded Healthcare and Pharmaceutical Companies

MILPITAS, CA – December 1, 2014 – FireEye, Inc. (NASDAQ: FEYE), the leader in stopping today's advanced cyber attacks, today released a comprehensive intelligence report that assesses that a financially motivated advanced threat group has been carrying out ongoing attacks against publicly traded companies in a likely attempt to play the stock market.

The report – Hacking The Street? FIN4 Likely Playing the Market – details the work of a team of native-English speaking operators with extensive knowledge of the nuances in industries they targeted as well as financial practices. Designated by FireEye as FIN4, the group has been observed collecting information from nearly 100 publicly traded companies or their advisory firms, all parties who handle insider information that give a clear trading advantage to the attacker.

“Advanced threat actors conducting attacks to play the stock market to their advantage has long been a worry but never truly seen in action,” said Dan McWhorter, VP of threat intelligence, FireEye. “FIN4 is the first time we are seeing a group of very sophisticated attackers actually systematically acquire information that only has true value to a criminal when used in relation to the stock market.”

Unlike the often nation-state backed Advanced Persistent Threat groups originating from China and Eastern Europe tracked by FireEye, FIN4 carries out its attacks in a unique manner never seen before by FireEye. The group does not utilize malware, instead relying heavily on highly-targeted social engineering tactics and deep subject-matter expertise to deliver weaponized versions of legitimate corporate files. Specifically, FireEye found that since at least mid-2013, FIN4 has made product development, M&A strategies, legal issues, and purchasing processes of companies its target data points.

While FIN4’s unique methodology of not using malware allows them to evade traditional detection and attribution, the report provides analysis of the social engineering and document weaponization that the group employs as identified through FireEye investigations and detections. With a strong command of English colloquialisms, regulatory and compliance standards, and industry knowledge, FireEye researchers believe FIN4 to be US-based or, possibly, Western European.  

FireEye researchers also found that while FIN4 has highly advanced techniques for breaking into an organization, they have security practices on the data they transmit. Stolen login credentials were shown to be transferred to FIN4 servers in plain text while the operators themselves use TOR to mask their locations and identities.

In addition to the report, FireEye is releasing indicators that can be downloaded at

The full report, including examples of FIN4 targeted attacks, can be accessed at          

About FireEye, Inc.

FireEye has invented a purpose-built, virtual machine-based security platform that provides real-time threat protection to enterprises and governments worldwide against the next generation of cyber attacks. These highly sophisticated cyber attacks easily circumvent traditional signature-based defenses, such as next-generation firewalls, IPS, anti-virus, and gateways. The FireEye Threat Prevention Platform provides real-time, dynamic threat protection without the use of signatures to protect an organization across the primary threat vectors and across the different stages of an attack life cycle. The core of the FireEye platform is a virtual execution engine, complemented by dynamic threat intelligence, to identify and block cyber attacks in real time. FireEye has over 2,700 customers across 67 countries, including over 157 of the Fortune 500.

© 2014 FireEye, Inc. All rights reserved. FireEye is a registered trademark or trademark of FireEye, Inc. in the United States and other countries. All other brands, products, or service names are or may be trademarks or service marks of their respective owners.

Media Contact:

Vitor De Souza

FireEye, Inc.



Investor Contact:

Kate Patterson

FireEye, Inc.