09:00 AM
Connect Directly

Cybercriminal Group Spying On US, European Businesses For Profit

Symantec, Kaspersky Lab spot Morpho' hacking team that hit Apple, Microsoft, Facebook and Twitter expanding its targets to lucrative industries for possible illegal trading purposes.

A team of attackers tied to previous hacks of Apple, Facebook, Microsoft, and Twitter, has quietly expanded its cyber espionage operation to snooping on and stealing intellectual property from multi-billion dollar firms in the pharmaceutical, software, Internet, oil and metal mining commodities sectors in the US, Europe, and Canada.

But unlike most cyber espionage groups, this is no nation state-sponsored hacking operation. According to researchers at Symantec who have been investigating the so-called Morpho organization for the past two years, this cyberspying operation appears to be run by an organized crime ring with possible US ties. Some 49 different organizations across 20 nations, most in the US, have been hit by the Morpho group, which mainly has set its sights on the victim organizations' Microsoft Exchange and Lotus Domino email servers to spy on corporate correspondence or possibly insert phony emails.

And unlike China's cyber espionage MO of stealing intellectual property to then pass on to its own companies to manufacture copycat products and technologies, these cyberspies appear to be in the business to make money based on a company's R&D or other business moves. "There are two theories, that they are stealing the data for themselves, or selling it to someone else," says Vikram Thakur, principal research manager on Symantec’s Security Response team. "But it's more likely that they are using the information to make investments … buying stocks" for financial gain, he says.

One common thread in the attacks at victim organizations who have shared some details on the attacks with Symantec's team is that the Morpho group hit R&D-related computer systems in these firms. Such futuristic intel indeed would be valuable to an investor. "These were being used for research and innovation, forward-looking purposes," Thakur says. "It may not be the only information they got, but this was a common theme among victims."

Morpho's operations are reminiscent of that of the so-called FIN4 hacking group first exposed last year by FireEye. FireEye says FIN4 targets the email accounts of corporate executives and is focused on stealing merger & acquisition information as well as other potentially valuable intel for use in illegal trading. FIN4 doesn't infect victims with malware, but instead steals usernames and passwords to gain access to corporate emails. The SEC reportedly is investigating this activity.

But Morpho and FIN4 are separate operations, Symantec's Thakur says. "Morpho is leaps and bounds ahead on what it's [doing], how it goes after [its targets], and how it covers its tracks," he says.

Cyber espionage traditionally has been the domain of nation-states spying on one another to gather diplomatic, military, or in the case of China, to pilfer intellectual property to boost its own businesses.

[The St. Louis Cardinals' alleged breach of the Astros' proprietary database raises concern over the possibility of US companies hacking their rivals for intel. Read Houston Astros' Breach A 'Wake-Up Call' On Industrial Cyber Espionage.]

Kaspersky Lab today also published a report on Morpho, which it calls "Wild Neutron." According to Kaspersky, the gang also uses a stolen valid code certificate, and a zero-day Flash Player exploit to infect victims. 

Costin Raiu, director of Kaspersky's global research and analysis team, says the gang has been active since 2011, and has hit other interesting targets: "The group’s targeting of major IT companies, spyware developers (FlexiSPY), jihadist forums (the "Ansar Al-Mujahideen English Forum") and Bitcoin companies indicate a flexible yet unusual mindset and interests," Raiu says.

Meanwhile, Morpho and FIN4 may be the tip of the iceberg on cyber espionage as a tool for illegal trading purposes. "I think this could probably have been going on for a few years. In the coming months, we are bound to see more threats uncovered that fall into the same bucket," Symantec's Thakur says.

"It's like a Stuxnet moment," revealing yet another way hacking is used for high-stakes gains, according to Thakur.

How Morpho Morphed

Symantec's Thakur says his team noticed a relationship between the malware used in the 2013 wave of attacks on Apple, Facebook, Microsoft, and Twitter, and some malware that dated back to March 2012. "The malware used in 2013 was the same as the malware in 2012. We could see [Morpho] literally only had one infection at one point in time" then, Thakur says.

But Morpho morphed its operations such that it infects more than one victim at a time. Even so, its malware hasn't changed much, mainly because the attacks are relatively fast and furious: "They are in a victim's machine a very short amount of time. In less than 12 hours, they stole one gig of data, and used shredding tools" to hide their tracks in one case, Thakur says.

The attacks on Apple and the other big-name tech companies used a Mac OS X backdoor (OSX.Pintsized) and a Windows backdoor (Backdoor.Jiripbot). Although Morpho has mostly tweaked its malware, it has since added a trove of other hacking tools (also custom-made and under the family name of Hacktool), including its own version of OpenSSH called "Hacktool.Securetunnel" that sends the victim machine the command & control server's address and port for communication; a tool that appears to locate vulnerable printer, HTTP, or other servers on the network; a proxy connection tool; and the so-called "Hacktool.Multipurpose" that can edit event logs to cover its tracks, grab passwords, delete and encrypt files.

But like most cyber espionage campaigns, Morpho uses watering-hole attacks to snap up victims, and has used a couple of zero-day attacks. "We see that kind of thing very often … Where they are very good is in their opsec," Thakur says. They steal, shred, and get out of the victim's machine quickly, and the C&C uses multiple layers before connecting to the victim's machine. "So this group knows how to cover their tracks," he says.

Symantec believes the group is an organized crime operation with at least two business units: one that does the hacking and has the tech know-how to cover its tracks, and other that orders the hackers on who to target and then takes the stolen information and monetizes it. The attackers appear to be native English speakers, and work during US business hours.

Among its victims--which Symantec did not name--are five additional technology firms (most in the US), three major European pharmaceutical companies, gold and oil commodities firms, and law firms that specialize in the industies in which Morpho is targeting. In the case of one tech company, the attackers hacked the firm's physical security system, which would have given them a way to track an employee's movements and even spy on them via a video feed, according to Symantec.

Symantec has reported its findings to law enforcement, Thakur says.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
7/8/2015 | 3:00:02 PM
It's very interesting to see what sound like contractors and traders deploying methods typically associated with state-backed threats for financial gain. One minor correction though - the group FIN4 do use malware, and there is a recent report on it titled "UnFIN4ished Business" -> pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.html
What We Talk About When We Talk About Risk
Jack Jones, Chairman, FAIR Institute,  7/11/2018
Ticketmaster Breach Part of Massive Payment Card Hacking Campaign
Jai Vijayan, Freelance writer,  7/10/2018
Major International Airport System Access Sold for $10 on Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  7/11/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Cyberspace is much less secure than my old lamp.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-07-17
GNU Libextractor before 1.7 has a stack-based buffer overflow in ec_read_file_func (unzip.c).
PUBLISHED: 2018-07-17
GNU Libextractor before 1.7 contains an infinite loop vulnerability in EXTRACTOR_mpeg_extract_method (mpeg_extractor.c).
PUBLISHED: 2018-07-17
MusicCenter / Trivum Multiroom Setup Tool V8.76 - SNR 8604.26 - C4 Professional allows unauthorized remote attackers to reboot or execute other functions via the "/xml/system/control.xml" URL, using the GET request "?action=reboot" for example.
PUBLISHED: 2018-07-17
MusicCenter / Trivum Multiroom Setup Tool V8.76 - SNR 8604.26 - C4 Professional before V9.34 build 13381 - 12.07.18, allow unauthorized remote attackers to reset the authentication via the "/xml/system/setAttribute.xml" URL, using the GET request "?id=0&attr=protectAccess&newV...
PUBLISHED: 2018-07-17
MusicCenter / Trivum Multiroom Setup Tool V8.76 - SNR 8604.26 - C4 Professional before V9.34 build 13381 - 12.07.18 allows unauthorized remote attackers to obtain sensitive information via the "/xml/menu/getObjectEditor.xml" URL, using a "?oid=systemSetup&id=_0" or "?oid...