Endpoint
7/8/2015
09:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Cybercriminal Group Spying On US, European Businesses For Profit

Symantec, Kaspersky Lab spot Morpho' hacking team that hit Apple, Microsoft, Facebook and Twitter expanding its targets to lucrative industries for possible illegal trading purposes.

A team of attackers tied to previous hacks of Apple, Facebook, Microsoft, and Twitter, has quietly expanded its cyber espionage operation to snooping on and stealing intellectual property from multi-billion dollar firms in the pharmaceutical, software, Internet, oil and metal mining commodities sectors in the US, Europe, and Canada.

But unlike most cyber espionage groups, this is no nation state-sponsored hacking operation. According to researchers at Symantec who have been investigating the so-called Morpho organization for the past two years, this cyberspying operation appears to be run by an organized crime ring with possible US ties. Some 49 different organizations across 20 nations, most in the US, have been hit by the Morpho group, which mainly has set its sights on the victim organizations' Microsoft Exchange and Lotus Domino email servers to spy on corporate correspondence or possibly insert phony emails.

And unlike China's cyber espionage MO of stealing intellectual property to then pass on to its own companies to manufacture copycat products and technologies, these cyberspies appear to be in the business to make money based on a company's R&D or other business moves. "There are two theories, that they are stealing the data for themselves, or selling it to someone else," says Vikram Thakur, principal research manager on Symantec’s Security Response team. "But it's more likely that they are using the information to make investments … buying stocks" for financial gain, he says.

One common thread in the attacks at victim organizations who have shared some details on the attacks with Symantec's team is that the Morpho group hit R&D-related computer systems in these firms. Such futuristic intel indeed would be valuable to an investor. "These were being used for research and innovation, forward-looking purposes," Thakur says. "It may not be the only information they got, but this was a common theme among victims."

Morpho's operations are reminiscent of that of the so-called FIN4 hacking group first exposed last year by FireEye. FireEye says FIN4 targets the email accounts of corporate executives and is focused on stealing merger & acquisition information as well as other potentially valuable intel for use in illegal trading. FIN4 doesn't infect victims with malware, but instead steals usernames and passwords to gain access to corporate emails. The SEC reportedly is investigating this activity.

But Morpho and FIN4 are separate operations, Symantec's Thakur says. "Morpho is leaps and bounds ahead on what it's [doing], how it goes after [its targets], and how it covers its tracks," he says.

Cyber espionage traditionally has been the domain of nation-states spying on one another to gather diplomatic, military, or in the case of China, to pilfer intellectual property to boost its own businesses.

[The St. Louis Cardinals' alleged breach of the Astros' proprietary database raises concern over the possibility of US companies hacking their rivals for intel. Read Houston Astros' Breach A 'Wake-Up Call' On Industrial Cyber Espionage.]

Kaspersky Lab today also published a report on Morpho, which it calls "Wild Neutron." According to Kaspersky, the gang also uses a stolen valid code certificate, and a zero-day Flash Player exploit to infect victims. 

Costin Raiu, director of Kaspersky's global research and analysis team, says the gang has been active since 2011, and has hit other interesting targets: "The group’s targeting of major IT companies, spyware developers (FlexiSPY), jihadist forums (the "Ansar Al-Mujahideen English Forum") and Bitcoin companies indicate a flexible yet unusual mindset and interests," Raiu says.

Meanwhile, Morpho and FIN4 may be the tip of the iceberg on cyber espionage as a tool for illegal trading purposes. "I think this could probably have been going on for a few years. In the coming months, we are bound to see more threats uncovered that fall into the same bucket," Symantec's Thakur says.

"It's like a Stuxnet moment," revealing yet another way hacking is used for high-stakes gains, according to Thakur.

How Morpho Morphed

Symantec's Thakur says his team noticed a relationship between the malware used in the 2013 wave of attacks on Apple, Facebook, Microsoft, and Twitter, and some malware that dated back to March 2012. "The malware used in 2013 was the same as the malware in 2012. We could see [Morpho] literally only had one infection at one point in time" then, Thakur says.

But Morpho morphed its operations such that it infects more than one victim at a time. Even so, its malware hasn't changed much, mainly because the attacks are relatively fast and furious: "They are in a victim's machine a very short amount of time. In less than 12 hours, they stole one gig of data, and used shredding tools" to hide their tracks in one case, Thakur says.

The attacks on Apple and the other big-name tech companies used a Mac OS X backdoor (OSX.Pintsized) and a Windows backdoor (Backdoor.Jiripbot). Although Morpho has mostly tweaked its malware, it has since added a trove of other hacking tools (also custom-made and under the family name of Hacktool), including its own version of OpenSSH called "Hacktool.Securetunnel" that sends the victim machine the command & control server's address and port for communication; a tool that appears to locate vulnerable printer, HTTP, or other servers on the network; a proxy connection tool; and the so-called "Hacktool.Multipurpose" that can edit event logs to cover its tracks, grab passwords, delete and encrypt files.

But like most cyber espionage campaigns, Morpho uses watering-hole attacks to snap up victims, and has used a couple of zero-day attacks. "We see that kind of thing very often … Where they are very good is in their opsec," Thakur says. They steal, shred, and get out of the victim's machine quickly, and the C&C uses multiple layers before connecting to the victim's machine. "So this group knows how to cover their tracks," he says.

Symantec believes the group is an organized crime operation with at least two business units: one that does the hacking and has the tech know-how to cover its tracks, and other that orders the hackers on who to target and then takes the stolen information and monetizes it. The attackers appear to be native English speakers, and work during US business hours.

Among its victims--which Symantec did not name--are five additional technology firms (most in the US), three major European pharmaceutical companies, gold and oil commodities firms, and law firms that specialize in the industies in which Morpho is targeting. In the case of one tech company, the attackers hacked the firm's physical security system, which would have given them a way to track an employee's movements and even spy on them via a video feed, according to Symantec.

Symantec has reported its findings to law enforcement, Thakur says.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MastroMastro
50%
50%
MastroMastro,
User Rank: Apprentice
7/8/2015 | 3:00:02 PM
Trends
It's very interesting to see what sound like contractors and traders deploying methods typically associated with state-backed threats for financial gain. One minor correction though - the group FIN4 do use malware, and there is a recent report on it titled "UnFIN4ished Business" -> pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.html
Cybersecurity's 'Broken' Hiring Process
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/11/2017
How Systematic Lying Can Improve Your Security
Lance Cottrell, Chief Scientist, Ntrepid,  10/11/2017
Ransomware Grabs Headlines but BEC May Be a Bigger Threat
Marc Wilczek, Digital Strategist & CIO Advisor,  10/12/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.