SEC charges nine in 2016 EDGAR hack, insider trading scheme

The Securities and Exchange Commission charged nine individuals and organizations with participating in a 2016 scheme to hack into EDGAR, the commission's financial filing system, and use nonpublic information to profit from illegal trades.

According to the SEC complaint made public Jan. 15, Ukrainian hacker Oleksandr Ieremenko and others obtained thousands of draft or "test filings" from EDGAR's servers that included nonpublic corporate earnings information. Those filings were then passed along to individual traders and companies in the United States, Ukraine and Russia, who made money trading off the information. Ieremenko was able to pass himself off as an authorized EDGAR user, according to the complaint.

The same day that the SEC announced its charges, the United States Attorney's Office for the District of New Jersey charged Ieremenko and Ukrainian national Artem Radchenko with securities fraud conspiracy, wire fraud conspiracy, computer fraud conspiracy, wire fraud and computer fraud related to the hack.

Altogether, six traders and two companies are accused of making hundreds of trades to generate at least $4.1 million off the scheme. Two of the traders charged, David Kwon and Sungjin Cho, are listed as residing in Los Angeles, Calif. Ieremenko and all but two of the trader defendants (Kwon and company Spirit Trade) were also charged in 2015 with a similar scheme to hack, steal and trade off nonpublic information from newswire services to generate more than $100 million in illegal stock trades.

After the SEC discovered the compromise in October 2016 and patched the flaws, Ieremenko attempted to regain access to EDGAR in 2017, conducting a series of phishing and spoofing campaigns against SEC computer users and posing as a member of SEC security staff in order to plant malware on targeted devices with access to the system.

The SEC complaint states that "none of the post-October 2016 efforts appear to have led to access to test filings containing nonpublic material." However, the indictment submitted by the U.S. Attorney's Office in New Jersey states that Ieremenko and Radchenko "successfully infected a number of SEC computers with malware." They used them to "probe the SEC's network and to steal information to use in their ongoing efforts to gain unauthorized access to Test Filings."

EDGAR, short for Electronic Data Gathering Analysis and Retrieval, has been in use since the 1990s, and in 2017 then-SEC Chairman Jay Clayton told Congress that the vulnerabilities used in a 2016 data breach involved "the exploitation of a defect in custom software" used for the system. The SEC has since created a senior advisor position for cybersecurity policy and contracted with cybersecurity vendor FireEye for forensic investigative services related to the hack.

The SEC has had plans to replace EDGAR since at least 2008, and in 2016, the agency awarded a $6.1 million contract to Sapient Government Services to gather requirements for a bid to redesign the system, with a target date early 2019 for procurement. A call to the SEC Office of Public Affairs for information on an updated procurement timeline was not immediately returned.