Cyber Attack Hits Prominent Hedge Fund, Endowment, and Foundation

“They’re really focused,” warns one security expert. “Wow.”

Illustration by II

Illustration by II

At least two nonprofits and a hedge fund have been hit by a spreading cyber attack that experts say is targeting institutional investors.

Hackers breached the official email accounts of investment executives at the Kansas University endowment and Community Foundation of Texas late last month. This week, attackers hit hedge fund Arena Investors, sending a malicious phishing email from its chief operating officer’s address.

In every case, the tactic was the same.

“You have an encrypted message,” the fraudulent emails read, inviting recipients to “Continue to Email” by clicking a link, which likely infects the recipient with malware or allows hackers into their account.

Three experts suggested that the attackers are specifically targeting institutional investors because, essentially, that’s where the money is.

“These organizations have access to millions of dollars in liquid accounts,” Robert Capps of NuData Security told Institutional Investor in an interview. “Institutional folks managing capital are used to getting wire transfers and moving money. By targeting high-level executives in the financial industry, attackers are then able to send out wire transfer requests to someone in accounts payable, and then money is wired out to third parties. Make one mistake, and it could cost millions of dollars.”

Hackers did not succeeded in stealing assets from the Kansas endowment, senior vice president James Clarke said Thursday. “I can 1,000 percent confirm that we didn’t lose money.”

But at both the foundation and endowment, hackers breached executives’ email.

One of the victims was Kansas University endowment’s vice president of investments Stacy Nuss. “The party that took control of her account sent out what appeared to be an encrypted message with a link to an unknown but suspicious attachment,” Clarke wrote to recipients the following day. “We have regained control over the account and apologize for the inconvenience.”

Account breaches are the more serious of two common phishing methods, according to security awareness advocate Erich Kron of KnowBe4, which provides cyber security training products. The other method is called “spoofing,” when criminals disguise a message as being from someone else.

In Nuss’ case, Kron said, “somebody probably got her to put her credentials in somewhere, or attackers tried a password she used elsewhere that had been impacted by a breach. Somebody actually got into that account, and that’s a very, very dangerous type of phish, because you can’t differentiate from what’s real and what’s not. I would say her account was taken over by the bad guys, who then just started sending these emails out to everybody on the contact list.”

Victims tend to feel “very, very guilty,” Kron went on. “But I don’t think they should. It’s not hard to fall for these things.”

[II Deep Dive: The Sorry State of Cybersecurity]

Hedge fund Arena Investors said the attack “gives you a sense of the ever-present risks and evolving threats that organizations like ours face, despite having firewalls with redundancies, end-point protection, strong web and email filters, dedicated connectivity to a private cloud, an independent technology firm and dedicated security officer that establishes and monitors our controls, recurring third-party penetration testing, and regular employee training — in addition to other controls and protocols. Thankfully, we also have a pre-established response plan that we followed, and this incident was immediately contained.”

Human vigilance is the best line of defense for preventing attacks and controlling the damage afterwards, experts said. And institutional investors should expect to be targeted, if they haven’t been already.

“Business email compromise is one of the most costly and damning attacks today,” said Bob Gourley of cyber security firm Ooda. For the victimized organizations, he warned that the attack isn’t over. “Given that it’s targeting executives at endowments, foundations, and hedge funds, the sender has probably done a lot of investigation beforehand. They’re going to try to trick decision-makers into sending money somewhere it isn’t supposed to be.”