Andrew Burton/Getty ImagesRecent indictments of hackers raise concerns that programmers are developing tools that could wreak havoc on the broader financial system.The indictment on Thursday of a long-running hacking ring is kindling fears that rogue programmers are going beyond theft and developing the capacity to wreak havoc on the broader financial system.
Five Eastern European computer programmers were charged by the United States attorney in New Jersey with hacking into the servers of more than a dozen large American companies and stealing 160 million credit card numbers in what the authorities called the largest hacking and data breach case ever.
Related Links
Documents: Hacking and Data Breach CaseBut one company had nothing to do with credit cards or bank accounts: Nasdaq.
In a separate indictment unsealed in federal court in New York, one of the men, Aleksandr Kalinin of Russia, was charged with having gained access for two years to the servers of the Nasdaq stock exchange.
While Mr. Kalinin never penetrated the main servers supporting Nasdaq’s trading operations — and appears to have caused limited damage at Nasdaq — the attack raised the prospect that hackers could be getting closer to the infrastructure that supports billions of dollars of trades each hour.
“As today’s allegations make clear, cybercriminals are determined to prey not only on individual bank accounts, but on the financial system itself,” Preet Bharara, the top federal prosecutor in Manhattan, said in announcing the case.
It is a pivotal moment, just a week after a report from the World Federation of Exchanges and an international group of regulators warned about the vulnerability of exchanges to cybercrime. The report said that hackers were shifting their focus away from stealing money and toward more “destabilizing aims.”
In a survey conducted for the report, 89 percent of the world’s exchanges said that hacking posed a “systemic risk” to global financial markets. “A presumption of safety (despite the reach and size of the threat) could open securities markets to a cyber ‘black swan’ event,” the report said.
At a Senate hearing on cybersecurity on Thursday, a representative of several financial industry groups, Mark Clancy, said that “for the financial services industry, cyberthreats are a constant reality and a potential systemic risk to the industry.”
Over the last few years, accidental technological mishaps at the trading firm Knight Capital and the Nasdaq and BATS stock exchanges have revealed how even isolated programming errors can quickly ripple through the markets, causing significant losses in minutes.
The exchanges have been bolstering their defenses and their preparations for an assault on their computer systems. On July 18, an industry group led an exercise, referred to as Quantum Dawn 2, in which the exchanges and other financial firms responded to a simulated attack on the nation’s stock markets.
The attack on Nasdaq is far from the first time an exchange has been singled out by hackers. In a survey conducted for the World Federation of Exchanges report, 53 percent of all exchanges said they had experienced a cyberattack during the last year.
This year, the Prague Stock Exchange and several Czech banks were reportedly disabled for a brief time by an attack.
The public-facing Web sites of a number of American exchanges have been hacked. Just last week, Nasdaq said that hackers had gained access to the passwords of people using one of its online forums. Its sites were breached in October 2010, too. At the time, the exchange said the breach affected a single system, known as Directors Desk, used by company board members to exchange confidential information.
The indictments unsealed on Thursday indicate a more wide-ranging scheme that prosecutors say gave Mr. Kalinin and his accomplices access to an unknown amount of information on numerous Nasdaq servers.
They were able to “execute commands on those servers, including commands to delete, change or steal data,” according to the indictment in Manhattan court.
At certain points they had enough information to “perform network or systems administrator functions” on the servers, the New Jersey indictment said. Mr. Kalinin had access to the servers, intermittently, until October 2010, according to the Manhattan indictment. Nasdaq discovered the breach itself and alerted the authorities, according to a person briefed on the investigation.
A spokesman for Nasdaq said the company had no comment on the case.
Paul M. Tiao, a former senior adviser on cybersecurity at the Federal Bureau of Investigation, said the Nasdaq breach was worrying because the servers the defendants attacked could have eventually provided an entryway to the more closely guarded trading systems.
“This is the beginning of the process through which you can imagine that some bad actors would find their way into much more sensitive infrastructure,” said Mr. Tiao, now a partner at the law firm Hunton & Williams. “This is a significant cause for concern.”
The indictment from the United States attorney in New Jersey, which included information on the Nasdaq breach, said that Mr. Kalinin, who went by the nicknames Grig and Tempo, first cracked Nasdaq’s systems in late 2007 using so-called SQL injections. This technique infects a computer system with malicious software that in turn allows the attackers to steal or manipulate the contents of the system.
When an accomplice in Florida asked about attacking Nasdaq, Mr. Kalinin wrote on instant message: “NASDAQ is owned.”