Cyber Incident Victim: Virtu Financial
Date:
Mar 2017
Location:
United States of America
Summary
An IT engineer at KCG Holdings installed malware on company servers to steal proprietary trading platform source code and accessed employee accounts without authorization. Following a promotion, the employee exploited elevated access to bypass security monitoring systems by rerouting traffic through backup proxies, enabling undetected exfiltration. Unusual remote access activity detected by a quantitative analyst led to internal investigation and revocation of the perpetrator’s credentials. The individual admitted to the intrusions, citing fears of impending job loss amid acquisition rumors. The actions resulted in theft of sensitive intellectual property and compromised internal systems. The incident culminated in criminal charges for trade secret theft.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Zhengquan Zhang, a 31-year-old IT engineer employed by KCG Holdings, Inc., engaged in unauthorized access and data theft between December 2016 and March 2017. Following his promotion to a DevOps supervisor role in December 2016, Zhang gained elevated access to KCG's Unix-based network infrastructure and source code repositories containing proprietary trading algorithms. He exploited this position to install malware on company servers designed to harvest credentials of other employees. This malware allowed Zhang to bypass security proxy servers managed by a third party by rerouting traffic through KCG-controlled backup proxies, evading network monitoring that might have detected data exfiltration.
The incident was discovered on March 25, 2017, when a KCG quantitative analyst working remotely experienced repeated disconnections from his work computer. Upon reconnecting, the analyst observed unauthorized access to his archived email folder and logged the attacker's unique connection identifier. KCG's security team traced this identifier to Zhang's workstation by March 26, leading to immediate revocation of his system access. Subsequent forensic analysis revealed Zhang had used stolen credentials to access multiple employee accounts and exfiltrate portions of the company's trading platform source code to an external server. On March 27, Zhang admitted his actions via email to a former supervisor, citing fears of impending layoffs amid rumors of a corporate acquisition. He confessed to deploying malware, accessing employee accounts to gather information about potential job cuts, and stealing intellectual property. KCG involved federal authorities, resulting in Zhang's arrest by the FBI on April 7, 2017 – the same day Virtu Financial announced its $1.4 billion acquisition of KCG. The U.S. Department of Justice charged Zhang with one count of trade secret theft, carrying a maximum penalty of 10 years imprisonment and financial penalties up to twice the gross loss from the offense. KCG's investigation confirmed the compromise of source code repositories and unauthorized access to multiple employee accounts, though the full scope of exfiltrated data was not publicly disclosed.