{
	"id": "aa4f18e5-9fe9-40ac-93c7-f4107f012949",
	"created_at": "2026-04-06T02:10:59.086315Z",
	"updated_at": "2026-04-10T03:32:56.544514Z",
	"deleted_at": null,
	"sha1_hash": "7d45232c2b4b6331d534e1c4cd41e55d6eefdebe",
	"title": "FIN4: Stealing Insider Information for an Advantage in Stock Trading? « FIN4: Stealing Insider Information for an Advantage in Stock Trading?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 35031,
	"plain_text": "FIN4: Stealing Insider Information for an Advantage in Stock\r\nTrading? « FIN4: Stealing Insider Information for an Advantage in\r\nStock Trading?\r\nBy by Kristen Dennesen, Jordan Berry, Barry Vengerik, Jonathan Wrolstad | Threat Intelligence\r\nPublished: 2014-12-01 · Archived: 2026-04-06 01:59:20 UTC\r\nAt FireEye, we investigate cyber threat activity that typically aligns with one of two goals: the pursuit of sensitive\r\ninformation to fulfill a government's goals, or the theft of data for financial gain. The media echoes these two\r\nobjectives daily in news stories about Eastern European cybercriminals stealing payment card data from retailers,\r\nor China-based threat groups targeting high tech firms' latest innovations. A reader skimming the headline,\r\n\"Hackers Steal Data from Pharmaceutical Firms\" could be forgiven for assuming that the article tells the story of a\r\ngovernment-backed group in pursuit of new drug innovations. However, in a campaign FireEye is uncovering\r\ntoday, this headline tells another story.\r\n  FireEye tracks a threat group that we call \"FIN4,\" whose intrusions seem to have a different objective: to obtain\r\nan edge in stock trading. FIN4 appears to conduct intrusions that are focused on a single objective: obtaining\r\naccess to insider information capable of making or breaking the stock prices of public companies. The group\r\nspecifically targets the emails of C-level executives, legal counsel, regulatory, risk, and compliance personnel, and\r\nother individuals who would regularly discuss confidential, market-moving information.\r\n  FIN4 has targeted over 100 companies since at least mid-2013. All of the targeted organizations are either public\r\ncompanies or advisory firms that provide services to public companies (such as investor relations, legal, and\r\ninvestment banking firms). Over two-thirds of the targeted organizations are healthcare and pharmaceutical\r\ncompanies. FIN4 probably focuses on these types of organizations because their stocks can move dramatically in\r\nresponse to news of clinical trial results, regulatory decisions, or safety and legal issues.\r\n  We've been able to characterize FIN4's activity via our incident response engagements, FIN4's attempts to\r\ncompromise our managed service clients, our product detection data, and further independent research. Our\r\nvisibility into FIN4's activities is limited to its network operations; we can only surmise how they may be using\r\nand potentially benefitting from the valuable information they are able to obtain. However, one fact remains clear:\r\naccess to insider information that could significantly impact stock prices for dozens of publicly traded companies\r\nsurely puts FIN4 at a considerable trading advantage.\r\n  FireEye is releasing indicators to help organizations detect FIN4 activity. Those indicators can be downloaded\r\nhere.\r\n  The complete report can be downloaded.\r\nSource: https://web.archive.org/web/20190508171649/https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html\r\nhttps://web.archive.org/web/20190508171649/https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://web.archive.org/web/20190508171649/https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html"
	],
	"report_names": [
		"fin4_stealing_insid.html"
	],
	"threat_actors": [
		{
			"id": "2799bc47-e502-49f0-a289-87e3cc95ecc6",
			"created_at": "2022-10-25T15:50:23.706367Z",
			"updated_at": "2026-04-10T02:00:05.34551Z",
			"deleted_at": null,
			"main_name": "FIN4",
			"aliases": [
				"FIN4"
			],
			"source_name": "MITRE:FIN4",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "5f6ade4c-e2db-46f0-b1b4-529ea52d040b",
			"created_at": "2022-10-25T16:07:23.611546Z",
			"updated_at": "2026-04-10T02:00:04.687074Z",
			"deleted_at": null,
			"main_name": "FIN4",
			"aliases": [
				"FIN4",
				"G0085",
				"Wolf Spider"
			],
			"source_name": "ETDA:FIN4",
			"tools": [
				"UpDocX"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "3571da12-0890-45e7-85d3-04fac7070b52",
			"created_at": "2023-01-06T13:46:38.414772Z",
			"updated_at": "2026-04-10T02:00:02.964831Z",
			"deleted_at": null,
			"main_name": "WOLF SPIDER",
			"aliases": [
				"FIN4",
				"G0085"
			],
			"source_name": "MISPGALAXY:WOLF SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775441459,
	"ts_updated_at": 1775791976,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7d45232c2b4b6331d534e1c4cd41e55d6eefdebe.pdf",
		"text": "https://archive.orkl.eu/7d45232c2b4b6331d534e1c4cd41e55d6eefdebe.txt",
		"img": "https://archive.orkl.eu/7d45232c2b4b6331d534e1c4cd41e55d6eefdebe.jpg"
	}
}