If a TBTF Bank Lost Its Quant Code to Chinese Hackers and No One Knew, Would We Still Have a Functioning Market?

Bloomberg has an excellent catch from the HB Gary emails, revealing that Morgan Stanley was one of the 20-200 companies targeted by the Chinese-based Aurora hack in 2009.

Morgan Stanley experienced a “very sensitive” break-in to its network by the same China-based hackers who attacked Google Inc.’s computers more than a year ago, according to e-mails stolen from a cyber-security company working for the bank.

The e-mails from the Sacramento, California-based computer security firm HBGary Inc., which identify the first financial institution targeted in the series of attacks, said the bank considered details of the intrusion a closely guarded secret.

“They were hit hard by the real Aurora attacks (not the crap in the news),” wrote Phil Wallisch, a senior security engineer at HBGary, who said he read an internal Morgan Stanley report detailing the so-called Operation Aurora attacks.

As McAfee made clear when it first announced the hack, the hackers were after the targets’ intellectual property (though note the understanding of the timing of the hack has changed).

Similar to the ATM heist of 2009, Operation Aurora looks to be a coordinated attack on many high profile companies targeting their intellectual property. Like an army of mules withdrawing funds from an ATM, this malware enabled the attackers to quietly suck the crown jewels out of many companies while people were off enjoying their December holidays.

Now, Bloomberg–with backing from an FBI officer and a reminder that Morgan Stanley is the world’s larger mergers and acquisitions adviser–seems to be most concerned about what the hackers learned about impending M&A.

FBI Deputy Assistant Director Steven Chabinsky said that hackers have increasingly targeted information related to mergers and acquisitions, data that can give companies involved an advantage in negotiations.

But the description of the targeted information as IP immediately made me think about quant code, the algorithms that banks use to conduct high frequency trading. When Sergey Aleynikov attempted to sell Goldman Sachs’ high frequency trading code, the Goldman and the government treated it like a capital offense. For good reason, because if another firm got that code, it would be able to game out Goldman’s moves. So how do we know that these hackers didn’t steal MS’ quant code?

In any case, the hack seems to raise real questions about disclosure. Should Morgan Stanley have had to reveal this to its stockholders and potential M&A clients (remember that MS led GM’s IPO last year, though hopefully long enough after this hack for the merger not to be exposed by it). Should MS have had to reveal this–with the potential implications for markets–to Congress? Did it?

I just can’t help but think that the Aurora hackers may well have gotten the same kind of information that Congressional oversight committees have requested from the Fed, but were refused.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

  1. WilliamOckham says:

    Yes. China is too far away to use high freq trading effectively. OTOH, it would suck for MorganStanley.

      • WilliamOckham says:

        High frequency trading works best when your network is very close to the exchanges. It depends literally on milliseconds of advantage. The big investment banks have effectively locked out any competitors by monopolizing the close network connections. I’m talking about close both in terms of physical distance and router hops which are the two big delays involved. To be really effective at high freq trading, you need massive computer power (easy for anyone to obtain), the clever code (harder, but not impossible), and a direct network connection into the exchange (which is how the insiders keep others out).

    • earlofhuntingdon says:

      Surely, Shirley, physical distance is irrelevant and China has the resources to mobilize programs from anywhere in the world under any variety of assumed identities.

      I now see your point about milliseconds and attributes of distance, but I think my second point stands.

  2. Gitcheegumee says:

    My first thought when I began reading your post was about Sergey Aleynikov(although I could not remember his name).

    I have always wondered if there was any nexus between his activities and those of the ten Russians that were arrested last summer.

  3. WilliamOckham says:

    The Chinese hacking (Night Dragon, Aurora, etc.) reminds me of Samuel Slater (you can google him).

  4. BoxTurtle says:

    Don’t worry so much about what they got, worry about what they’re getting. If they have M&A data, it’s old and they apparently didn’t act on it enough to attract attention. And you can bet MS was looking.

    But if they were in far enough to get that sort of stuff, they were in far enough to make themselves a key to the backdoor.

    And you may be looking at it from the wrong direction. Yes, an American with the Quant code would be looking to use it to make money. A Chinese government hacker would be looking to use the code to crash the market. All they need to know is the When To Sell algolrithm. They don’t even need to hack the code, just use their stock, bonds, and cash to create a computerized sell off.

    Boxturtle (Another reason to ban program trading)

    • emptywheel says:

      Yeah, the HB Gary emails make it pretty clear that MS continued to get persistently hacked all the time, though there’s nothing to suggest it was getting that deep into their networks.

  5. scribe says:

    All the more reason to slap a per-share tax on high-frequency trading.

    Or, to make it simple, all trading. The true “investor”, i.e., Mr. or Mrs. Buy-and-hold, wil hardly notice payng a penny or a nickel or dime per share, when they buy them once and hold the stock for months or years. The knuckleheads who do the high-freq will have to pay the freight for the damage their habits do.

    And, no, I suppose this whole episode does not make Jamie Dimon any less of a savvy businessman.

    • WilliamOckham says:

      I totally agree on the tax. Also, I’m trying to decide if negative savviness is a viable conceptual model…

    • manys says:

      All the more reason to slap a per-share tax on high-frequency trading.

      I think this is exactly where the long-standing capital gains pushback comes from.

  6. fatster says:

    Pardon the interruption: USSC has ruled “that corporations have no right of personal privacy to prevent the disclosure of documents under the federal Freedom of Information Act.” LINK.

  7. JohnLopresti says:

    I think the point about disclosure to stockholders some depiction of the extent of the incidents an interesting question. Also, on the tech side, what*s the fastest fiber bandwidth from Chicago to nyse now? I think Schapiro*s government commission has enunciated some policy of vigilance fairly recently, in the introspective aftermath of the microcrash quite a few months back. Without knowing the technology to much extent, the current controls look, to me, like some kind of quantum physics array of mandated suspensions, if I recall the policies I read in the newspapers last year following that insta-microcrash incident. Maybe the way SEC could approach getting the key exchanges to regulate nanosecond trades would be invoking the tax or surcharge when instatrades begin to generate fluctuations approaching each quantum boundary. In a way, it is kind of humorous, that the old paper copy 10K, and 10Q, themselves are rendered fairly moot by the sheer rapidity of the insta-trading. It*s always fun to watch the stock around the time of the investor conference calls six weeks following the close of a company*s quarter. Then again, there are the prospecti, which are elevating reading if one has studied the more staid 10K and 10Q sequences. I do not see SEC and the exchanges developing robo-interpreters of what*s in those key documents as part of a watchdog algorithm for particularizing an instantaneous invocation of the *tax or surcharge* per nanosecond trade, but I imagine lots of Excel tabbed documents laying the foundation for many of those algorithms, constantly tweaked by market specialists. I can see the incentive, as well, for foreign nations with liquidity to peer thru the public reported statements into the actual valuations m+a attempt to develop as an insider way to grasp trends and anticipate advantageous positions. Let*s see, what*s a nanosecond instatrade decoy sting gonna look like. If Einstein were still around in person, he probably would be working on the math for the next system, one which could exclude the pesky speed of light. Fiber is so interminably slow.

  8. melior says:

    If I was an elite super-genius TBTF bank executive (except, you know, smarter) I might lose a bit of sleep worrying about the Chinese, but I’d have to seriously be sweating the fact that the proximate source for this leak now being splashed across Bloomberg’s RSS was the confidential personal email dump of the “experts” they apparently rely on for security. At least the Chinese would presumably keep anything they uncovered nonpublic for their own private exploitation…

  9. thatvisionthing says:

    Who names these things? I was stuck on Anaconda before, now I’m thinking — “Aurora”? Imagine Charlie Chan saying that. So I went to wikipedia:

    Operation Aurora is a cyber attack which began in mid-2009 and continued through December 2009.[1] The attack was first publicly disclosed by Google on January 12, 2010, in a blog post.[2] In the blog post, Google said the attack originated in China.

    The attack has been aimed at dozens of other organizations, of which Adobe Systems,[3] Juniper Networks[4] and Rackspace[5] have publicly confirmed that they were targeted. According to media reports, Yahoo, Symantec, Northrop Grumman and Dow Chemical[6] were also among the targets.

    As a result of the attack, Google stated in its blog that it plans to operate a completely uncensored version of its search engine in China “within the law, if at all”, and acknowledged that if this is not possible it may leave China and close its Chinese offices.[2] Official Chinese media responded stating that the incident is part of a U.S. government conspiracy.[7]

    The attack was named “Operation Aurora” by Dmitri Alperovitch, Vice President of Threat Research at cyber security company McAfee. Research by McAfee Labs discovered that “Aurora” was part of the file path on the attacker’s machine that was included in two of the malware binaries McAfee said were associated with the attack. “We believe the name was the internal name the attacker(s) gave to this operation,” McAfee Chief Technology Officer George Kurtz said in a blog post.[8]

    There’s also Aurora Plaza (a skyscraper in Shanghai), Aurora Technology (a subsidiary of Shanda, a major Chinese operator of online games…publishes (MOTU alert)the MMORPG King of the World), and (ahoy!) the HMS Aurora, a British light cruiser sold to the Nationalist Chinese in 1948, renamed the Chung King, whose crew defected to Mao’s People’s Liberation Army in 1949, renamed Tchoung King, then sunk by the Nationalist Chinese, then raised by the Russians… etc. Wait, a second (or first) HMS Aurora, took part in the Boxer Rebellion in 1901, aka “The Righteous Fists of Harmony,” opposing Western imperialism with grievances like opium trading, missionary evangelism and unequal treaties. Wow, the more things change… Boxers = English translation for fists — ! I did not know that! Ok, I’ll stop.

    So, is there a British connection to the Chinese hackers?

    • Gitcheegumee says:

      TVT,just for fun, google up Aurora..lots of interesting info regarding northern latitudes.

      Even more synchronistic is the introduction of the terminology themis in the entry. Now where did I hear that word before..wasn’t it in relation to HB Gary…or am I mistaken?

      Even Jung would be impressed with the synchronicity,imho.

      • Gitcheegumee says:

        And for an encore, Giggle up…oops… I mean Google up Themis…

        A Titan Goddess of law and order…WTF??

        • thatvisionthing says:

          I thought you were laughing at me. It’s ok, I laugh at myself all the time. But first google I clicked into:

          That’s why the United States Space Agency (NASA) sent Themis, the Greek Goddess of Justice, to uncover the events behind the aurora that dances. The mission consists of five satellites was deliberately given the name because it aims to reveal aurora Themis objectively, without prejudice.

          By coincidence, Themis is also the abbreviation of the activities that must be performed five scientific satellites, ie Time of History and Macroscale Interaction During Substorms. After reaching orbit, they must collect data to find the record of events and their effects on substorms, or a small storm that occurred.

          Five microsatellite transported Delta 2 rocket that was recently launched from Cape Canaveral Air Force Base, Florida, last weekend. The launch was delayed one day due to high winds in the air layer above. “The wind can affect the direction of track rocket,” said Rani Gran, NASA spokeswoman.

          According to the plan, the five Themis satellites will separate themselves from the Delta 2 rocket an hour after launch. Once separated, the scientists at the earth station of University of California, Berkeley, began to send signals to each satellite.

          The first satellite will identify the beginning substorm, namely the location of the first disturbance occurred at the earth’s magnetic field. “The satellite will be used to measure how fast the disturbance spread to other locations,” said David Sibeck, Themis project scientist.

          This mission is really only takes four satellites to complete the task. The fifth is a backup satellite spacecraft that will supply additional data.

          Satellites? Rockets? Funky website, no date for the entry — wait, it’s in the URL: http://www.spacesafety.org/2010/05/07/aurora-dance/

          Hey, I’m for justice, even if it has to come from NASA and the great beyond.

          Wait, Aurora justice launched right after cyberattack?

          • thatvisionthing says:

            The mission consists of five satellites was deliberately given the name because it aims to reveal aurora Themis objectively, without prejudice. … By coincidence, Themis is also the abbreviation of the activities that must be performed five scientific satellites, ie Time of History and Macroscale Interaction During Substorms. … Five microsatellite transported Delta 2 rocket that was recently launched from Cape Canaveral Air Force Base, Florida, last weekend.

            Engrish?

          • thatvisionthing says:

            According to the plan, the five Themis satellites will separate themselves from the Delta 2 rocket an hour after launch. Once separated, the scientists at the earth station of University of California, Berkeley, began to send signals to each satellite.

            Designated hippie?

            • thatvisionthing says:

              Berkeley:

              Themis, the goddess of justice, wisdom and good counsel, the guardian of oaths in Greek mythology, represents the THEMIS mission. She will confirm without prejudice, as implied by her fame, one of the two competing theories for auroral eruptions. THEMIS, with her sword (representing instruments) and scales (representing science discoveries), has both power and impartiality.

              http://ds9.ssl.berkeley.edu/themis/mission_mystery.html

  10. thatvisionthing says:

    NASA’s Themis page: http://www.nasa.gov/mission_pages/themis/main/index.html

    Repurposed in 2010! Now named Artemis (= Apollo’s twin, the goddess of hunting, wilderness and animals … aka Diana — I KNEW there was a British connection! :-)

    ARTEMIS stands for “Acceleration, Reconnection, Turbulence and Electrodynamics of the Moon’s Interaction with the Sun”. The ARTEMIS mission uses two of the five in-orbit spacecraft from another NASA Heliophysics constellation of satellites (THEMIS) that were launched in 2007 and successfully completed their mission earlier in 2010. The ARTEMIS mission allowed NASA to repurpose two in-orbit spacecraft to extend their useful science mission, saving tens of millions of taxpayer dollars instead of building and launching new spacecraft.

  11. thatvisionthing says:

    HBGary/Themis — Themis is a partnership, Team Themis (Palantir-Berico-HBGary)

    — Themis – corporate campaign work

    http://hbgary.anonleaks.ch/aaron_hbgary_com/2000.html

    — another one — union membership lists?:

    http://hbgary.anonleaks.ch/aaron_hbgary_com/9228.html

    Subject: Team Themis Cost Proposal – Phase I

    As we discussed during the meeting, we feel that the powerful combination of software and services that Team Themis (Palantir-Berico-HBGary) offers will provide dramatic improvements in capability for Hunton & Williams. … 9) Do we have access to the union in question’s membership lists?…

    — more Themis-HBGary e-mail links here:

    http://hbgary.anonleaks.ch/aaron_hbgary_com/index_f_d_29.html

    — Ha, an Aurora Report on the same page as Themis links

    http://hbgary.anonleaks.ch/aaron_hbgary_com/8801.html — synchronicity

    And in today’s news, on Salon — of course, I see this is EW’s next diary:

    Tuesday, Mar 1, 2011 09:15 ET

    Democrats call for probe of top D.C. law firm

    Hunton & Williams was involved in a dubious plot to attack critics of the Chamber of Commerce

    Dems write to Republican chairs of four House committees, Oversight and Govt Reform, Judiciary, Intelligence and Armed Services:

    We ask that your Committee immediately begin an investigation with hearings into the issues raised by recent reports alleging that three federal defense and intelligence agency data security contractors, and a leading law firm, planned a “dirty-tricks” campaign that included possible illegal actions against citizens engaged in free speech.

    A series of email messages recently published on the Internet indicates that defense data security contractors HB Gary Federal, Palantir Technologies and Berico Technologies (collectively calling themselves “Team Themis”) and the law firm of Hunton & Williams planned a campaign to sabotage and discredit critics of the U.S. Chamber of Commerce, including U.S. Chamber Watch, the union federation Change to Win, the Center for American Progress, the Service Employees International Union and other organizations.

    The published correspondence appears to reveal a conspiracy to use subversive techniques to target Chamber critics. The techniques may have been developed at U.S. government expense to target terrorists and other security threats.

    Well, considering that HBGray was marketing to the House of Representatives engineer CISO Brent Conran in @29, maybe they should look to themselves and ask some questions — e.g., link Responder Pro, link BigFix

  12. Gitcheegumee says:

    WOW,TVT …that’s some amazing info there.

    I suppose what got me was the irony of using a Greek figure that denotes justice,for the less than just intentions of Team Themis,as indicated in letter above.

    Calls to mind Cerberus…but that’s a whole ‘nother kettle o’ fish for some other thread.

    • thatvisionthing says:

      Thanks Gg, I was feeling pretty embarrassed at the end of my googlewander, wasting everyone’s time and ew’s good space. But, having slept on it, I’m kind of back to where I started. Why Aurora? Why Themis? Why Artemis (what a tortured acronym)? The most interesting reason given is for Aurora, that it’s in a computer file path name — makes me wonder why. Maybe that’s how McAfee knew it was Chinese, maybe it’s Aurora Technology. Or maybe it’s a way to finger somebody. I think I’ll put Cheney or Rumsfeld in all my file path names and then either they’re done for, material support, or I get a free hall pass. And goddess Themis, unprejudiced and strong — whoa, who’s going to be prejudiced about what makes an aurora work? Dancing auroras call for burning justice? NASA, what’s up with that? Is this like naming hurricanes, Greek god/goddess names all have a turn? I mean that still looks like a code name for something else to me because the reason given is so huh? Keep in mind I’m stupid and ignorant.

      But you were right, HBGray does have an Aurora cyberattack link — it did a report on it.

      As for choosing Themis the Goddess of Justice as their dirty tricks team name… damn. Team Themis was the subcontractor wannabe of law firm Hunton & Williams, subcontractor of Chamber of Commerce, to whom DOJ contracts out its illegal work (do I have the law begets bastardry right?). Is this like our torture ship USS Bataan, named to honor the servicemen/prisoners tortured at Bataan in WWII? Is this like subverting to torture teaching the SERE school on Coronado named after James Stockdale, our tortured Vietnamese hero? Is this like naming our war of terror “War on Terror”? And PATRIOT. Spit. It’s all Orwell. I am constantly reminded of poet Wendell Berry’s phrase about the world being babbled to pieces.

      Some Further Words
      by Wendell Berry.

      Let me be plain with you, dear reader.
      I am an old-fashioned man. I like
      the world of nature despite its mortal
      dangers. I like the domestic world
      of humans, so long as it pays its debts
      to the natural world, and keeps its bounds.
      I like the promise of Heaven. My purpose
      is a language that can repay just thanks
      and honor for those gifts, a tongue
      set free from fashionable lies.

      The world is babbled to pieces after
      the divorce of things from their names.
      Ceaseless preparation for war
      is not peace. Health is not procured
      by sale of medication, or purity
      by the addition of poison. Science
      at the bidding of the corporations
      is knowledge reduced to merchandise;
      it is a whoredom of the mind,
      and so is the art that calls this “progress.”
      So is the cowardice that calls it “inevitable.”

      I think the issues of “identity” mostly
      are poppycock. We are what we have done, …

      Amen.

      • Gitcheegumee says:

        I once read that Picasso was asked what he thought of computers(which were quite new back then).

        He replied,”Not much. They can only answer questions. The genius is in asking them (questions).”

        I am always amazed at your sense of wonder..even when you may think you wander.Please nurture that ..its a gift…and thank you for sharing.

        • bobschacht says:

          Picasso was asked what he thought of computers(which were quite new back then).

          He replied,”Not much. They can only answer questions. The genius is in asking them (questions).”

          This is absolutely true. I try to practice asking the right question whenever possible. Wonderful things can happen. And BTW, to ask a good question, you definitely do not need to know the answer.

          Bob in AZ