Exclusive: Nasdaq hackers spied on company boards

By Jim Finkle

The new details showed the cyber attack was more serious than previously thought, as Nasdaq OMX Group had said in February that there was no evidence the hackers accessed customer information.

It was not known what information the hackers might have stolen. The investigation into the attack, involving the FBI and National Security Agency, is ongoing.

"God knows exactly what they have done. The long term impact of such attack is still unknown," said Tom Kellermann, a well-known cyber security expert with years of experience protecting central banks and other high-profile financial institutions from attack.

The case is an example of a "blended attack," where elite hackers infiltrate one target to facilitate access to another. In March hackers stole digital security keys from EMC Corp's RSA Security division that they later used to breach the networks of defense contractor Lockheed Martin Corp.

Nasdaq had previously said that its trading platforms were not compromised by the hackers, but they attacked a Web-based software program called Directors Desk, used by corporate boards to share documents and communicate with executives, among other things.

By infecting Directors Desk, the hackers were able to access confidential documents and the communications of board directors, said Kellermann, chief technology officer at security technology firm AirPatrol Corp.

Investigators have learned that hackers were able to spy on "scores" of directors who logged onto directorsdesk.com before the malicious software was removed, said Kellermann and another person familiar with the investigation who was not authorized to discuss the matter publicly.

It was still unclear how long Nasdaq's system was breached before the attack was discovered last October.

A Nasdaq spokesman confirmed the investigation into the attack continues, but declined to give further details.


Executive Assistant FBI Director Shawn Henry said the financial services sector was losing hundreds of millions of dollars to hackers every year, and the attacks were increasingly "destructive" in nature.

"We know adversaries have full unfettered access to certain networks. Once there they have the ability to destroy data," he told Reuters in a phone interview. "We see that as a credible threat to all sectors, but specifically the financial services sector." Henry declined to comment on the Nasdaq attack.

Alexander told security experts at a Baltimore conference that the United States was shoring up its defenses, but still had "tremendous vulnerabilities" to a growing number of increasingly destructive electronic attacks.

"Nation states, non-nation state actors and hacker groups are creating tools that are increasingly more persistent and threatening, and we have to be ready for that," he said.

Amid a spate of high-profile cyber crimes, the Obama administration wants Congress to pass comprehensive cyber-security legislation that would increase the government's ability to thwart the growing threat.

Alexander and other top officials held a classified meeting with lawmakers on Wednesday and Thursday to discuss the issue, according to sources familiar with the meeting.

Nasdaq CEO Robert Greifeld said in July that the exchange is under constant attack, requiring it to spend nearly a billion dollars a year on information security.

"As we sit here, there are people trying to slam into our system every day," Greifeld said in the interview. "So we have to be ever vigilant against an ever-changing foe."

(Reporting by Jim Finkle. Additional reporting by Jonathan Spicer in New York, Andrea Shalal-Esa in Baltimore and Diane Bartz in Washington. Editing by Tim Dobbyn, Tiffany Wu, and Bob Burgdorfer