Menu
Hacker group that hit Twitter, Facebook, Apple and Microsoft intensifies attacks

Hacker group that hit Twitter, Facebook, Apple and Microsoft intensifies attacks

The group has been stealing confidential information from large companies worldwide for the past three years

The hackers that targeted Twitter, Facebook, Apple and Microsoft developers two years ago have escalated their economic espionage efforts as they seek confidential business information and intellectual property they can profit from.

The group, which security researchers from Kaspersky Lab and Symantec call Wild Neutron or Morpho, has broken into the networks of over 45 large companies since 2012.

After the 2013 attacks against Twitter, Facebook, Apple and Microsoft were highly publicized, the group went underground and temporarily halted its activity. However, its attacks resumed in 2014 and have since intensified, according to separate reports released Wednesday by Kaspersky Lab and Symantec.

Symantec has identified 49 different organizations in over 20 countries that have fallen victim to the Morpho group since 2012. The majority of them were from the technology, pharmaceutical, commodities and legal sectors and were based in the U.S., Canada or Europe.

Kaspersky identified additional companies compromised by the group that are involved in Bitcoin cryptocurrency, investments, healthcare, real estate, merger and acquisition deals, as well as individual users.

The absence of government or diplomatic corps victims and other details led researchers from the two security vendors to the conclusion that the Morpho group is most likely not sponsored by a nation state. Instead, it's probably a highly sophisticated cybercrime gang that knows how to exploit the business information it obtains for financial gain, for example by selling it to the highest bidder or by profiting from it on the financial markets.

The group has used at least two zero-day exploits so far, one for Flash Player and one for Java, and also had access to a digital certificate stolen from Taiwanese electronics manufacturer Acer that it used to sign its malware programs. This suggests that the attackers have access to high-value intrusion tools and techniques.

When it targeted developers from technology and Internet companies in 2013 the group launched its attack from a compromised iOS development forum using a Java zero-day exploit. This technique of compromising a website that's visited by multiple intended targets is called a watering hole attack.

That same year the Morpho group used the same method with multiple discussion forums, including expatforum.com, forum.samdroid.net, emiratesmac,com, mygsmindia.com, and a Jihadist discussion board that's now closed, researchers from Kaspersky said in a blog post. The attack vector for the 2014 and 2015 attacks is not yet known, but there are clear indications that a Web-based exploit kit with a zero-day Flash Player exploit was used, they said.

If successful, these Web-based exploits install a custom computer backdoor developed by the group that has versions for Windows and Mac OS X. The attackers then use additional custom hacking tools to move laterally through the network and compromise additional computers, servers and other devices.

According to Symantec's researchers, the Morpho attackers often target regional offices of their intended victims and then move through their internal networks to access their additional locations and headquarters.

The attackers appear to be well informed about the companies they attack and the information they're searching for.

"In many attacks, the group has succeeded in compromising Microsoft Exchange or Lotus Domino email servers in order to intercept company emails and, possibly use them to send counterfeit emails," the Symantec researchers said in a blog post. "The group has also attacked enterprise content management systems, which would often be home to legal and policy documents, financial records, product descriptions and training documents."

In one case, the attackers compromised a Physical Security Information Management (PSIM) system, gaining access to door locks and CCTV camera feeds.

It's not clear where the group is based. According to Symantec, some, if not all of the group's members are fluent in English, which is evident from the malware's code. However, Kaspersky also found one string in Romanian and one in Russian in the command-and-control procedures.

Peaks of activity were observed on the malware's command-and-control servers that correspond with U.S. typical working hours. This could mean that some attackers are based in the U.S., but could also be because the majority of victims are from the U.S. and Canada, forcing attackers to work during that time interval.

"Morpho is a disciplined, technically capable group with a high level of operational security," the Symantec researchers said. "Having managed to increase its level of activity over the past three years whilst maintaining a low profile, the group poses a threat that ought to be taken seriously by corporations."

Subscribe here for up-to-date channel news

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags Microsoftsecuritydata breachtwitterExploits / vulnerabilitiesmalwarekaspersky labFacebookAppleintrusionsymantec

Featured

Slideshows

StorageCraft celebrates high achievers at its inaugural A/NZ Partner Awards

StorageCraft celebrates high achievers at its inaugural A/NZ Partner Awards

Revealed at a glitzy bash in Sydney at the Ivy Penthouse, the first StorageCraft Partner Awards locally saw the vendor honour its top-performing partners with ASI Solutions, SMBiT Pro, Webroot, ACA Pacific and Soft Solutions New Zealand taking home the top awards. Photos by Maria Stefina.

StorageCraft celebrates high achievers at its inaugural A/NZ Partner Awards
Kiwi resellers make a splash on Synnex and Lenovo RotoVegas road trip

Kiwi resellers make a splash on Synnex and Lenovo RotoVegas road trip

​Synnex and Lenovo hosted 18 resellers for an action-packed weekend adventure in RotoVegas, taking in white water rafting on the Kaituna River, as well as quad biking and dinner at Stratosfare​, overlooking Lake Rotorua at the top of Mount Ngongotaha​. Photos by Synnex.

Kiwi resellers make a splash on Synnex and Lenovo RotoVegas road trip
Show Comments