Wall St's exposure to hacking laid bare

The indictment on Thursday of a long-running hacking ring is kindling fears that rogue programmers are going beyond theft and developing the capacity to wreak havoc on the broader financial system.

Five Eastern European computer programmers were charged by the US attorney in New Jersey with hacking into the servers of more than a dozen large American companies and stealing 160 million credit card numbers in what the authorities called the largest hacking and data breach case ever.

But one company had nothing to do with credit cards or bank accounts: Nasdaq.

In a separate indictment unsealed in federal court in New York, one of the men, Aleksandr Kalinin of Russia, was charged with having gained access for two years to the servers of the Nasdaq stock exchange.

While Kalinin never penetrated the main servers supporting Nasdaq's trading operations - and appears to have caused limited damage at Nasdaq - the attack raised the prospect that hackers could be getting closer to the infrastructure that supports billions of dollars of trades each hour.

"As today's allegations make clear, cybercriminals are determined to prey not only on individual bank accounts, but on the financial system itself," Preet Bharara, the top federal prosecutor in Manhattan, said in announcing the case.

It is a pivotal moment, just a week after a report from the World Federation of Exchanges and an international group of regulators warned about the vulnerability of exchanges to cybercrime. The report said that hackers were shifting their focus away from stealing money and toward more "destabilising aims".

In a survey conducted for the report, 89 per cent of the world's exchanges said that hacking posed a "systemic risk" to global financial markets. "A presumption of safety (despite the reach and size of the threat) could open securities markets to a cyber 'black swan' event," the report said.

At a Senate hearing on cybersecurity on Thursday, a representative of several financial industry groups, Mark Clancy, said that "for the financial services industry, cyberthreats are a constant reality and a potential systemic risk to the industry".

Over the last few years, accidental technological mishaps at the trading firm Knight Capital and the Nasdaq and BATS stock exchanges have revealed how even isolated programming errors can quickly ripple through the markets, causing significant losses in minutes.

The exchanges have been bolstering their defences and their preparations for an assault on their computer systems. On July 18, an industry group led an exercise, referred to as Quantum Dawn 2, in which the exchanges and other financial firms responded to a simulated attack on the nation's stock markets.

The attack on Nasdaq is far from the first time an exchange has been singled out by hackers. In a survey conducted for the World Federation of Exchanges report, 53 per cent of all exchanges said they had experienced a cyberattack during the last year.

This year, the Prague Stock Exchange and several Czech banks were reportedly disabled for a brief time by an attack.

The public-facing web sites of a number of American exchanges have been hacked. Just last week, Nasdaq said that hackers had gained access to the passwords of people using one of its online forums. Its sites were breached in October 2010, too. At the time, the exchange said the breach affected a single system, known as Directors Desk, used by company board members to exchange confidential information.

The indictments unsealed on Thursday indicate a more wide-ranging scheme that prosecutors say gave Kalinin and his accomplices access to an unknown amount of information on numerous Nasdaq servers.

They were able to "execute commands on those servers, including commands to delete, change or steal data," according to the indictment in Manhattan court.

At certain points they had enough information to "perform network or systems administrator functions" on the servers, the New Jersey indictment said. Kalinin had access to the servers, intermittently, until October 2010, according to the Manhattan indictment. Nasdaq discovered the breach itself and alerted the authorities, according to a person briefed on the investigation.

A spokesman for Nasdaq said the company had no comment on the case.

Paul M Tiao, a former senior advisor on cybersecurity at the Federal Bureau of Investigation, said the Nasdaq breach was worrying because the servers the defendants attacked could have eventually provided an entryway to the more closely guarded trading systems.

"This is the beginning of the process through which you can imagine that some bad actors would find their way into much more sensitive infrastructure," said Tiao, now a partner at the law firm Hunton & Williams. "This is a significant cause for concern."

The indictment from the US attorney in New Jersey, which included information on the Nasdaq breach, said that Kalinin, who went by the nicknames Grig and Tempo, first cracked Nasdaq's systems in late 2007 using so-called SQL injections. This technique infects a computer system with malicious software that in turn allows the attackers to steal or manipulate the contents of the system.

When an accomplice in Florida asked about attacking Nasdaq, Kalinin wrote on instant message: "NASDAQ is owned."

©2013 The New York Times News Service