SAN FRANCISCO — For more than a year, a group of cybercriminals has been pilfering email correspondence from more than 100 organizations — the vast majority publicly traded health care or pharmaceutical companies — in apparent pursuit of information significant enough to affect global financial markets.
旧金山——一个网络犯罪团伙在一年多的时间里窃取了100多个组织的电子邮件，这些组织中绝大多数是医疗保健或制药上市公司，犯罪团伙明显是在寻求足以对全球金融市场产生重大影响的信息。
The group's activities, detailed in a report released Monday by FireEye, the Silicon Valley security company, shed light on a new breed of criminals intent on using their hacking skills to gain a market edge in the pharmaceutical industry, where news of clinical trials, regulatory decisions or safety or legal issues can affect a company's stock price.
本周一，硅谷安全公司FireEye发布了一份报告，详细描述了这个犯罪团伙的活动，揭示了一种新的犯罪意图，即利用黑客技术来获得医药行业中的市场优势。在这个行业中，临床试验消息、监管决定，以及安全或法律问题，可能会对公司的股价产生影响。

Starting in mid-2013, FireEye began responding to intrusions at publicly traded companies — two-thirds of them, it said, in the health care and pharmaceutical sector — as well as advisory firms, such as investment banking offices or companies that provide legal or compliance services.
从2013年中期开始，FireEye开始应对上市公司以及咨询公司遭受入侵的情况。它说，这些上市公司中三分之二都属于医疗保健和制药业，此外还有咨询机构，比如投资银行办事处，或者提供法律或合规服务的公司。
The attackers, whom FireEye named “Fin4” because of their focus on the financial sector, appear to be native English speakers, based in North America or Western Europe, who are well-versed in the Wall Street vernacular. Their email lures are precisely tailored toward each victim, written in flawless English and carefully worded to sound as if they were sent by someone with an extensive background in investment banking and with knowledge of the terms those in the industry employ.
由于这些攻击者侧重于金融业目标，FireEye称他们为“Fin4”，这些人似乎母语是英语，总部设在北美和西欧，精通华尔街行话。他们给每名受害者发送的电邮诱饵，都进行过精准的度身定制，使用了完美的英语、谨慎的措辞，看起来像是出自一位精通投资银行业务，谙熟业内术语的人之手。
Different groups of victims — frequently including top-level executives; legal counsel; regulatory, risk and compliance officers; researchers; and scientists — are sent different emails. Some senior executives have been duped into clicking on links sent from the accounts of longtime clients, in which the supposed client reveals that they found an employee's negative comments about the executive in an investment forum.
不同群体的受害者——包括最高层级的管理人员；法律顾问；监管、风险与合规管理者；研究人员；科学家——收到了不同的邮件。一些受骗的高管点击了长期客户账号发来的链接，因为这些所谓的客户说，他们发现一名员工在投资论坛上发布了有关该高管的的负面评论。
In other cases, attackers have used confidential company documents, which they had previously stolen, as aids in their deception. In some incidents, the attackers have simply embedded generic investment reports in their emails.
还有些时候，攻击者使用他们以前盗取的公司机密文件，来让圈套显得真实可信。有时候攻击者只是把一般性的投资报告嵌入电子邮件。
In each case, the links or attachments redirect their victim to a fake email login page, designed to steal the victim's credentials, so that the attacker can log into and read the contents of their emails.
无论是哪种情况，这些链接或附件都会把受害者带到假冒的电子邮件登录页面，以便窃取受害者的账号密码，这样一来，攻击者就可以登录并阅读他们的电邮内容了。
The Fin4 attackers maintain a light footprint. Unlike other well-documented attacks originating in China or Russia, the attackers do not use malware to crawl further and further into an organization's computer servers and infrastructure. They simply read a person's emails, and set rules for the infiltrated inboxes to automatically delete any email that contains words such as “hacked,” “phished,” or “malware,” to increase the time before their victims learn their accounts have been compromised.
Fin4攻击者的活动比较轻量级。与来自中国和俄罗斯的那种证据充分的攻击不同，Fin4并没有使用恶意软件深入一个组织的计算机服务器和基础设施，他们只是查看人们的电邮，并设置收件箱的过滤规则，自动删除包含“黑客”、“钓鱼攻击”或“恶意软件”等词语的邮件，以便拖延受害者发现自己电邮账户被侵入的时间。
“Given the types of people they are targeting, they don't need to go into the environment; the senior roles they target have enough juicy information in their inbox,” said Jen Weedon, a FireEye threat intelligence manager. “They are after information protected by attorney-client privilege, safety reports, internal documents about investigations and audits.”
“从他们攻击的目标人群的类型来看，他们并不需要扩大活动范围；高级主管收件箱中的信息，就已经足够有料了，”FireEye威胁情报经理延·威登(Jen Weedon)说。“他们的目标是律师-委托人之间的机密信息、安全报告，内部调查和审计文件的信息。”
Because the attackers do not deploy malware, and communicate in correct English, they can be tricky to track. Weedon said FireEye first began responding to Fin4 attacks in mid-2013 but did not put together its findings until five months ago, when a few of its analysts concluded the attacks did not appear to be the work of familiar attackers in Russia or China, and warranted further investigation.
由于攻击者并不部署恶意软件，并且是用规范的英语交流的，跟踪他们可能会非常困难。威登表示，FireEye第一次开始应对Fin4的攻击是在2013年的年中，但直到五个月前，当公司的几名分析师得出结论，说攻击似乎不是出自俄罗斯或中国那些熟悉的黑客之手，需要做进一步调查时，FireEye才对这些发现有了一个整体把握。
FireEye would not name the victims, citing nondisclosure agreements with its clients, but said that all but three of the affected organizations are publicly listed on the New York Stock Exchange or Nasdaq, while the others are listed on exchanges outside the United States.
FireEye不会公布受害者的名字，理由是与客户签订了保密协议，但它表示，遭到入侵的公司中，只有三家是在纽约证券交易所或纳斯达克上市的，其他都是其他国家的上市公司。
Half of these companies fall into the biotechnology sector; 13 percent sell medical devices; 12 percent sell medical instruments and equipment; 10 percent manufacture drugs; and a small minority of targets include medical diagnostics and research organizations, health care providers and organizations that offer health care planning services.
这些公司中有一半属于生物技术领域；13%销售医疗器械；12%出售的医疗仪器和设备；10%制造药品；还有少量医疗诊断和研究机构、医疗保健提供者，以及医疗保健计划服务机构。
FireEye said it had notified the victims, as well as the FBI, but did not know whether other organizations like the Securities and Exchange Commission were investigating.
FireEye说自己已经通知了受害者和联邦调查局，但不知道其他机构，比如美国证券交易委员会（Securities and Exchange Commission，简称SEC）是否会调查此事。
Representatives of the FBI declined to comment. Representatives of the SEC did not respond to requests for comment.
联邦调查局的代表拒绝发表评论。SEC的代表没有回复记者的置评请求。
Weedon said that FireEye had not had time to assess the effects of the breaches to see whether the attackers had benefited financially.
威登表示，FireEye没有时间来评估这些攻击的影响，因此不了解袭击者是否获得了经济利益。
In each case, attackers logged into their victim's email accounts using Tor, the anonymity software that routes Web traffic through Internet Protocol addresses around the globe, which can make it difficult, but not impossible, to trace their origins. Last month, the FBI seized dozens of criminal websites operating on the Tor network, in the largest operation of its kind.
每次攻击时，Fin4都使用了Tor来登陆受害者的电子邮件帐户。Tor是个匿名软件，用世界各地的IP地址来中转网络数据往来，所以要追踪Fin4的攻击源头很困难，但也并非不可能。上个月，联邦调查局查出了数十个在Tor网络上运作的犯罪网站，是类似行动中规模的最大一次。
“We don't have specific attribution, but we feel strongly this is the work of Americans or Western Europeans who have worked in the investment banking industry here in the United States,” Weedon said. “But it's hard because we don't have pictures of guys at their keyboards, just that they are native English speakers who can inject themselves seamlessly into email threads.”
“我们尚未找到具体源头，但我们认为攻击者有很大的可能是美国人或者西欧人，曾在美国的投资银行业工作过，”威登说。“但找到他们很难，因为我们没有可以辨识出这些人的确凿证据，只知道他们的母语是英语，可以天衣无缝地捏造电邮。”
Weedon added, “If it's not an American, it is someone who has been involved in the investment banking community and knows its colloquialisms really well.”
威登补充说，“做这些事的就算不是美国人，也与投资银行界有密切联系，而且非常熟悉这个圈子的行话。”