Hacking a Hedge Fund
H A C K I N G
A HEDGE FUND
There are worse things than a market crash.
Reported by Kip McDaniel
Illustrations by Harry Campbell
A safe opens in midtown Manhattan. The minute it does, the action is logged: Who opened it, what was removed, and why. Inside is not money, nor jewelry, nor gold. Instead, it’s full of simple disk drives, containing relatively mundane, everyday information. One is removed.
The drive is placed in a secure briefcase. The handler walks to the elevators and descends to street level. He exits the building to a waiting black Suburban. The driver is the only occupant. He takes the case, and places it between the two front seats.
The Suburban pulls away from the curb. It navigates Manhattan traffic until reaching Franklin D. Roosevelt Drive, which snakes up the East River to the Robert F. Kennedy (formerly Triborough) Bridge. The SUV inches its way through a crowded tollbooth, maneuvering exits and onramps until it alights upon Interstate 95. It accelerates, quickly passes through Westchester County and soon enters Connecticut. Within minutes, the Suburban is off the highway, heading towards its final destination: The gleaming headquarters of a multi-billion dollar hedge fund.
Variations on this happen every day for hundreds of hedge funds on the Eastern seaboard and beyond. But why a secure safe for unimportant files? Why meticulous records of who touched them and when? Why not transfer them via email, Dropbox, or any normal digital conveyance?
Because this anonymous hedge fund, like almost every hedge fund, is petrified about security. And as they manage billions for rich individuals and rich institutions, they shiver at the thought of their algorithms, client lists, and even, maybe, their money, exposed to every basement hacker and professional cybergang the world over.
Despite their paranoia, the cyberthreat for hedge funds is opaque.
This is what’s known: Attack vectors, or hacks to laymen, range from phishing (the “Nigerian prince with $10,000,000 USD in an offshore account”), to spear-phishing (an email appearing to be from your boss, but isn’t), to mock software updates and beyond. These intrusions usually aim to either trick an employee into sending money, or to gain access to a system and deliver malware. It’s this payload that scares hedge funds the most: Proprietary algorithms, client data, and reputations could all be fair game.
“One USB drive lying in a parking lot can change everything.”
Whether any major hedge fund has been breached in such a way is unknown—which is not to say it hasn’t happened.
Attacks are “like the example of Israel and nuclear weapons,” says Joe Ghory, a Russell Reynolds recruiter focused on cybersecurity and advanced analytics. (Full disclosure: He is a long-time friend of the author.) “They have no incentive to reveal it, but we all know that they have them.”
Only scattered reports of fund data breaches exist—for example, British defense contractor BAE Systems revealed in 2014 that a major hedge fund had been hacked, only to backtrack weeks later. Yet every industry expert interviewed for this article believed that at least one brand-name hedge fund has been exposed. “You could call it the Wizard of Oz, or the emperor wearing no clothes,” Ghory says. “Because the industry has no interest in disclosure, it leads to a false sense of security. The market feels more stable than it really is. Experts will tell you that there has never been a time—never—where they are more in the bullseye than now.”
This sentiment extends well beyond the alternative investment industry. While hedge funds are the Bobby Fischer of the financial system—eccentric genius mixed with a large dose of crazy—major financial institutions are even larger targets. JP Morgan, for one, has acknowledged that upwards of 100 million customers may have had their personal data exposed to hackers.
“And look at the US military,” Ghory says. “One USB drive lying in a parking lot can change everything.”
The US military is a singularly appropriate example of what it is to be a victim—and a perpetrator—of cybercrime and warfare.
As a victim, the Department of Defense faced a nightmare scenario in 2008 when it “suffered a significant compromise of its classified military computer networks,” according to William Lynn, former Deputy Secretary of Defense under President Barack Obama. In “Defending a New Domain: The Pentagon’s Cyberstrategy,” published in Foreign Affairs, he continued:
It began when an infected flash drive was inserted into a US military laptop at a base in the Middle East. The flash drive’s malicious computer code, placed there by a foreign intelligence agency, uploaded itself onto a network run by the US Central Command. That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control. It was a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary.
The USB stick delivered a payload known as Agent.btz: “the most significant breach of US military computers ever,” according to Lynn. The attack, and the reported 14 months it took to clear the system of the virus, served as a wake-up call. “The Pentagon’s operation to counter the attack, known as Operation Buckshot Yankee, marked a turning point in US cyberdefense strategy,” he wrote—one from which hedge funds can learn a great deal.
Operation Buckshot Yankee was an implicit acknowledgment that “information technology enables almost everything the US military does: logistical support and global command and control of forces, real-time provision of intelligence, and remote operations.” Just as technology is no longer simply “an administrative tool for enhancing office productivity,” hedge funds are no longer paperbased operations where phone calls between trader and broker are the main points of contact with the external world. Technology is the central nervous system.
The USB attack also spurred the military to rethink the dynamics of cyberwarfare. “Cyberwarfare is asymmetric,” Lynn wrote. “The low cost of computing devices means that US adversaries do not have to build expensive weapons, such as stealth fighters or aircraft carriers... in cyberspace, the offense has the upper hand.” The same goes for hedge funds. While a founder may have billions in the bank and significant capital to spend on cyberdefense, the offensive capabilities remain ascendant.
Lynn’s prescription applies beyond the military. “The challenge is to make the defenses effective enough to deny an adversary the benefit of an attack despite the strength of offensive tools in cyberspace.” For the military, this meant giving cyberthreats the prominence they deserved in its organizational structure: In 2009, it consolidated various task forces into US Cyber Command, located in Fort Meade, Maryland.
For hedge funds, “the threat deserves prominence,” Russell Reynolds’ Ghory says. “Asset managers and hedge funds have always been very much focused on returns for their investors. But as a result, we have seen that the back-office staff has been purposefully designed to allow them to be nimble. They are substantial users of outside services or consultants that aren’t core to their business.” Unsurprisingly, internal communication and focus may be lacking when it comes to cyberthreats. Just as the military consolidated its various cyber-focused branches “into a single four-star command,” hedge funds would be well advised to onboard a chief information security officer, according to Ghory. “I do think that more and more asset managers are hiring into this role,” he says, while admitting his financial interest in seeing this trend continue. “As we spend more time working with limited partners, it’s becoming a question they are expecting to ask and expect a good answer for from the hedge fund or asset manager. It’s no longer, ‘We trust you.’”
Erin Faccone, an operational due diligence advisor at consulting firm NEPC—which helps limited partners analyze hedge funds, among other chores—echoed Ghory’s sentiments. “It’s become something they’re hypervigilant about,” she says. What she sees in the course of her work varies, however. “London was super-hyped about this last year. The US is behind.” She also believes that the problem goes beyond the theoretical. “I was at a fund last year, and I asked the questions. They admitted that they had experienced a phishing attack—a super sophisticated one, pretending to be an administrator. An employee clicked the link, and it put some malware in the system. It made its way through the system more than they anticipated. They, like everyone else, had invested in protection. But they were shocked. It didn’t compromise critical data, but it did scare them.”
Noble hackers exist. Raj Bakhru is one of them.
Formerly of Goldman Sachs and hedge fund Kepos Capital, Bakhru founded Aponix in 2014 before merging it with the ACA Compliance Group in early 2015, forming ACA Aponix. Officially, the firm provides “regulatory compliance expertise” and “independent technology risk assessments for financial firms.” Translation: Among other offerings, they are white hat hackers for hedge funds—people hired to probe systems in hopes of exposing weaknesses before the black hats do.
“We are notified of a successful or highly targeted attack at a client or future client almost every week,” he says. “The most prevalent attacks are phishing through email. It’s not just the Nigerian uncle phishing—it’s very targeted and looks like an internal email.” The most common and successful financial attacks are “against the finance or accounting team, where a spoofed email will appear to come from the CIO, CEO, COO, to the CFO or controllers looking to get a fake invoice paid,” Bakhru adds. “In multiple cases this has resulted in six-figure sums being wired out of management company accounts.”
In terms of malware, “one of the most notable infestations was CryptoLocker, which encrypted, with an unknown password, all the files the victim had access to on their network and shared drives. It then demanded a ransom payment in bitcoin to release the password. It largely entered through phishing attacks—for example, an attachment on a fake shipment confirmation email.” CryptoLocker put funds as large as $20 billion out of operation, Bakhru claims. While the malware did not specifically target financial firms, there were “definitely brand names in the hedge fund industry that got CryptoLocker and didn’t trade for two hours.” What scares Bakhru is what would happen if such software were written with hedge funds specifically in mind. “If it’s not already happened or happening, it’s going to happen,” he says.
Yet threats like CryptoLocker are just the beginning, he believes. “I wouldn’t be surprised to one day hear about hedge funds attacking one another. If you think about the past, with people trying to gain access to other companies for corporate espionage—you’ll see more of that to come.”
Continued from here.
Stuxnet.
“Just because nothing has come to the hedge fund’s attention yet doesn’t mean it hasn’t been compromised.”
To those who follow cyberwarfare, that one word inspires both awe and fear. Generally believed to be the work of the Israeli and American governments beginning in the last decade, the Stuxnet ‘worm’—a virus that doesn’t need human action to spread—targeted the Iranian nuclear program’s uranium enriching capability, an essential process to create both nuclear power and weapons.
Stuxnet is a computer nerd’s dream. To oversimplify, the malware exploited weaknesses (or ‘zero day’ errors) in Microsoft Windows operating systems. It then infiltrated Siemens-made systems that controlled uranium centrifuges. By altering the speed at which the centrifuges spun—and by covering its digital tracks when doing so—the malware caused them to break over time, hindering Iran’s production of weapons-grade uranium. It did its job, at least until computer security firm Kaspersky Lab discovered it in 2010.
The question of how the malware gained access to the Iranian nuclear facility at Natanz is the most pertinent for hedge funds. Nuclear facilities, after all, are rarely connected to external networks for fear of hacks—yet Stuxnet got in. As cybersecurity expert Ralph Langner wrote in “Stuxnet’s Secret Twin” for Foreign Policy in 2013, “the sober reality is that at a global scale, pretty much every single industrial or military facility… is dependent on its network of contractors, many of which are very good at narrowly defined engineering tasks, but lousy at cybersecurity.” He continued:
Rather than trying to infiltrate directly by crawling through 15 firewalls, three data diodes, and an intrusion detection system, the attackers acted indirectly by infecting soft targets with legitimate access to ground zero: contractors. However seriously these contractors took their cybersecurity, it certainly was not on par with the protections at the Natanz fuel-enrichment facility. Getting the malware on the contractors’ mobile devices and USB sticks proved good enough, as sooner or later they physically carried those on-site and connected them to Natanz’s most critical systems, unchallenged by any guards.
In short, it was a variation of the USB trick inflicted on the Department of Defense, this time with the Americans (and Israelis) as the likely perpetrators. Yet two key differences exist: The attack went undetected for years instead of months, and it preyed on the weakest point in the system—contractors—to gain access to the target. Both are nightmare scenarios for hedge funds.
“We make the assumption that the moment you’re compromised, someone is willing to act immediately,” says Russell Reynolds’ Ghory. “The reality is that they, whoever ‘they’ are, can be patient, because they’re looking at the large opportunity. The ones who tend to act quickly are classic smash-and-grab robbers—not the people looking to do the single great score, the ‘Ocean’s Eleven’ thing. Just because nothing has come to the hedge fund’s attention yet doesn’t mean it hasn’t been compromised.”
“We’ll see more vendor breaches, as that’s so often the soft spot,” says Bakhru of ACA Aponix. “One of the biggest threats to the industry as a whole–putting aside the Bridgewaters and AQRs of the world, as they are vigilant to the extreme—is the massive number of common third parties it uses.” Fund administrators, technology firms: these third parties hold data on, and provide back-door access to, hundreds of hedge funds. “That’s a bigger target than a JP Morgan, and it spends $1 billion a year on cybersecurity. These tech firms won’t even spend a fraction of that.”
Compared to the military, financial regulators and law enforcement have been slow to react to asset management cyberthreats. Prepare for that to change.
The US Securities and Exchange Commission (SEC)—overseers to investment firms managing more than $100 million—is now leading the cyber charge. In early 2015, it released a summary of brokerdealer and advisor examination findings. The results showed an industry generally following best practices for written security policies and business continuity plans in case of cyberattack.
The report also made clear that attacks are rampant. “A majority of the broker-dealers (88%) and the advisers (74%) stated that they have experienced cyberattacks directly or through one or more of their vendors,” the SEC said. “The majority of the cyber-related incidents are related to malware and fraudulent emails.”
More than half of broker-dealers (54%) and just under half of the advisers (43%) reported receiving fraudulent emails seeking transfers of client funds, according to the report. “One adviser reported a loss in excess of $75,000 related to a fraudulent email, for which the client was made whole.” In April, it released a list of “suggestions” for internal cybersecurity assessments and strategies that regulated firms will ignore at their peril. In September, the commission fined St. Louis-based RT Jones Capital Equities Management $75,000 for failure to “establish the required cybersecurity policies and procedures in advance of a breach that compromised the personally identifiable information of approximately 100,000 individuals, including thousands of the firm’s clients.”
The $75,000 penalty is a minor figure in asset management, but the money isn’t the issue, according to Bakhru. “You might say that the bigger concern is now regulatory—and reputational.”
“Look at RT Jones,” he continues. “The SEC fined the firm because it didn’t have the right protections on client cloud-hosted data, which is a first. What’s interesting is that no client lost any money. RT Jones detected the breach, notified clients, and got credit monitoring for those whose information had been hacked. It lost $75,000 by an enforcement, and maybe $100,000 in credit monitoring—but right now, its name is all over the press, and people will realize that this firm has had this action.”
The adage about robbing banks (“that’s where the money is”) doesn’t really apply to hedge funds, which have custody banks and other financial ‘plumbing’ partners for such details. Instead, a hedge fund must protect its ‘secret sauce’ of algorithms, research, client data, and—although it is often forgotten when talking about the billions of dollars flowing through this industry—its reputation.
Industry insiders consider the last element to be the most vulnerable. Hedge funds wither at the idea of even discussing hacking, but one prominent industry manager highlighted the fallout of an even minor data breach: “I wouldn’t be able to raise a cent for two years if we were hacked.” Of course, he may already have been.