SAN FRANCISCO — For more than a year, a group of cybercriminals has been pilfering email correspondence from more than 100 organizations — most of them publicly traded health care or pharmaceutical companies — apparently in pursuit of information significant enough to affect global financial markets.
The group’s activities, detailed in a report released Monday morning by FireEye, a Silicon Valley security company, shed light on a new breed of criminals intent on using their hacking skills to gain a market edge in the pharmaceutical industry, where news of clinical trials, regulatory decisions or safety or legal issues can significantly affect a company’s stock price.
Starting in mid-2013, FireEye began responding to the group’s intrusions at publicly traded companies — two-thirds of them, it said, in the health care and pharmaceutical sector — as well as advisory firms, such as investment banking offices or companies that provide legal or compliance services.
The attackers, whom FireEye named “Fin4” because they are one of several groups that hack for financial gain, appear to be native English speakers, based in North America or Western Europe, who are well versed in the Wall Street vernacular. Their email lures are precisely tailored toward each victim, written in flawless English and carefully worded to sound as if they were sent by someone with an extensive background in investment banking and with knowledge of the terms those in the industry employ.
Different groups of victims — frequently including top-level executives; legal counsel; regulatory, risk and compliance officers; researchers; and scientists — are sent different emails.
Some senior executives have been duped into clicking on links sent from the accounts of longtime clients, in which the supposed client reveals that they found an employee’s negative rants about the executive in an investment forum. In another case, hackers posed as an adviser to one of two companies in a potential acquisition.
In several cases, attackers have used confidential company documents, which they had previously stolen, as aids in their deception. In others, the attackers simply embedded generic investment reports in their emails.
In each case, the links or attachments redirected their victim to a fake email login page, designed to steal the victim’s credentials, so that the attacker could log into their email and read the contents.
The Fin4 attackers maintain a light footprint. Unlike other well-documented attacks originating in China or Russia, the attackers do not use malware to crawl further and further into an organization’s computer servers and infrastructure.
They simply read a person’s emails and set rules for the infiltrated inboxes to automatically delete any email that contains words such as “hacked,” “phished” or “malware,” to increase the time before their victims learn their accounts have been compromised.
“Given the types of people they are targeting, they don’t need to go into the environment; the senior roles they target have enough juicy information in their inbox,” said Jen Weedon, a FireEye threat intelligence manager. “They are after information protected by attorney-client privilege, safety reports, internal documents about investigations and audits.”
Because the attackers do not deploy malware and communicate in native English, they can be tricky to track.
Ms. Weedon said FireEye first began responding to Fin4 attacks in mid-2013 but did not put together its findings until five months ago, when a few of its analysts concluded the attacks did not appear to be the work of familiar attackers in Russia or China, and warranted further investigation.
FireEye would not name the victims, citing nondisclosure agreements with its clients, but said that all but three of the affected organizations were publicly listed on the New York Stock Exchange or Nasdaq, while the others were listed on exchanges outside the United States.
Half of these companies fall into the biotechnology sector; 13 percent sell medical devices; 12 percent sell medical instruments and equipment; 10 percent manufacture drugs; and a small minority of targets include medical diagnostics and research organizations, health care providers and organizations that offer health care planning services.
FireEye said it had notified the victims, as well as the Federal Bureau of Investigation, but did not know whether other organizations like the Securities and Exchange Commission were investigating.
Representatives of the F.B.I. and S.E.C. declined to comment on the case.
FireEye has aggressively marketed its security research and breach detection products since it went public last year.
Its Fin4 research was published the day after David G. Dewalt, FireEye’s chief executive, appeared in a “60 Minutes” report, lamenting the fact that companies do not detect their breaches sooner.
The company’s stock price — which surged to $100 a share last March — has since dropped to $30 a share in part because of a report that indicated one of FireEye’s intrusion detection products did not perform as well as others in a lab test.
On Monday, the same day FireEye released its Fin4 report, lawyers filed a class-action suit in the United States District Court for the Northern District of California on behalf of FireEye shareholders.
Ms. Weedon said that FireEye had not had time to assess the effects of the breaches to see whether the attackers had benefited financially.
It is also difficult to track the attackers because in each case, they logged into their victim’s email accounts using Tor, the anonymity software that routes web traffic through Internet Protocol addresses around the globe. Last month, the F.B.I. seized dozens of criminal websites operating on the Tor network, in the largest operation of its kind.
“We don’t have specific attribution but we feel strongly this is the work of Americans or Western Europeans who have worked in the investment banking industry here in the United States,” Ms. Weedon said. “But it’s hard because we don’t have pictures of guys at their keyboards, just that they are native English speakers who can inject themselves seamlessly into email threads.”
Ms. Weedon added, “If it’s not an American, it is someone who has been involved in the investment banking community and knows its colloquialisms really well.”
