A team of attackers tied to previous hacks of Apple, Facebook, Microsoft, and Twitter, has quietly expanded its cyber espionage operation to snooping on and stealing intellectual property from multi-billion dollar firms in the pharmaceutical, software, Internet, oil and metal mining commodities sectors in the US, Europe, and Canada.
But unlike most cyber espionage groups, this is no nation state-sponsored hacking operation. According to researchers at Symantec who have been investigating the so-called Morpho organization for the past two years, this cyberspying operation appears to be run by an organized crime ring with possible US ties. Some 49 different organizations across 20 nations, most in the US, have been hit by the Morpho group, which mainly has set its sights on the victim organizations' Microsoft Exchange and Lotus Domino email servers to spy on corporate correspondence or possibly insert phony emails.
And unlike China's cyber espionage MO of stealing intellectual property to then pass on to its own companies to manufacture copycat products and technologies, these cyberspies appear to be in the business to make money based on a company's R&D or other business moves. "There are two theories, that they are stealing the data for themselves, or selling it to someone else," says Vikram Thakur, principal research manager on Symantec’s Security Response team. "But it's more likely that they are using the information to make investments … buying stocks" for financial gain, he says.
One common thread in the attacks at victim organizations who have shared some details on the attacks with Symantec's team is that the Morpho group hit R&D-related computer systems in these firms. Such futuristic intel indeed would be valuable to an investor. "These were being used for research and innovation, forward-looking purposes," Thakur says. "It may not be the only information they got, but this was a common theme among victims."
Morpho's operations are reminiscent of that of the so-called FIN4 hacking group first exposed last year by FireEye. FireEye says FIN4 targets the email accounts of corporate executives and is focused on stealing merger & acquisition information as well as other potentially valuable intel for use in illegal trading. FIN4 doesn't infect victims with malware, but instead steals usernames and passwords to gain access to corporate emails. The SEC reportedly is investigating this activity.
But Morpho and FIN4 are separate operations, Symantec's Thakur says. "Morpho is leaps and bounds ahead on what it's [doing], how it goes after [its targets], and how it covers its tracks," he says.
Cyber espionage traditionally has been the domain of nation-states spying on one another to gather diplomatic, military, or in the case of China, to pilfer intellectual property to boost its own businesses.
[The St. Louis Cardinals' alleged breach of the Astros' proprietary database raises concern over the possibility of US companies hacking their rivals for intel. Read Houston Astros' Breach A 'Wake-Up Call' On Industrial Cyber Espionage.]
Kaspersky Lab today also published a report on Morpho, which it calls "Wild Neutron." According to Kaspersky, the gang also uses a stolen valid code certificate, and a zero-day Flash Player exploit to infect victims.
Costin Raiu, director of Kaspersky's global research and analysis team, says the gang has been active since 2011, and has hit other interesting targets: "The group’s targeting of major IT companies, spyware developers (FlexiSPY), jihadist forums (the "Ansar Al-Mujahideen English Forum") and Bitcoin companies indicate a flexible yet unusual mindset and interests," Raiu says.
Meanwhile, Morpho and FIN4 may be the tip of the iceberg on cyber espionage as a tool for illegal trading purposes. "I think this could probably have been going on for a few years. In the coming months, we are bound to see more threats uncovered that fall into the same bucket," Symantec's Thakur says.
"It's like a Stuxnet moment," revealing yet another way hacking is used for high-stakes gains, according to Thakur.
How Morpho Morphed
Symantec's Thakur says his team noticed a relationship between the malware used in the 2013 wave of attacks on Apple, Facebook, Microsoft, and Twitter, and some malware that dated back to March 2012. "The malware used in 2013 was the same as the malware in 2012. We could see [Morpho] literally only had one infection at one point in time" then, Thakur says.
But Morpho morphed its operations such that it infects more than one victim at a time. Even so, its malware hasn't changed much, mainly because the attacks are relatively fast and furious: "They are in a victim's machine a very short amount of time. In less than 12 hours, they stole one gig of data, and used shredding tools" to hide their tracks in one case, Thakur says.
The attacks on Apple and the other big-name tech companies used a Mac OS X backdoor (OSX.Pintsized) and a Windows backdoor (Backdoor.Jiripbot). Although Morpho has mostly tweaked its malware, it has since added a trove of other hacking tools (also custom-made and under the family name of Hacktool), including its own version of OpenSSH called "Hacktool.Securetunnel" that sends the victim machine the command & control server's address and port for communication; a tool that appears to locate vulnerable printer, HTTP, or other servers on the network; a proxy connection tool; and the so-called "Hacktool.Multipurpose" that can edit event logs to cover its tracks, grab passwords, delete and encrypt files.
But like most cyber espionage campaigns, Morpho uses watering-hole attacks to snap up victims, and has used a couple of zero-day attacks. "We see that kind of thing very often … Where they are very good is in their opsec," Thakur says. They steal, shred, and get out of the victim's machine quickly, and the C&C uses multiple layers before connecting to the victim's machine. "So this group knows how to cover their tracks," he says.
Symantec believes the group is an organized crime operation with at least two business units: one that does the hacking and has the tech know-how to cover its tracks, and other that orders the hackers on who to target and then takes the stolen information and monetizes it. The attackers appear to be native English speakers, and work during US business hours.
Among its victims--which Symantec did not name--are five additional technology firms (most in the US), three major European pharmaceutical companies, gold and oil commodities firms, and law firms that specialize in the industies in which Morpho is targeting. In the case of one tech company, the attackers hacked the firm's physical security system, which would have given them a way to track an employee's movements and even spy on them via a video feed, according to Symantec.
Symantec has reported its findings to law enforcement, Thakur says.