Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

7/8/2015
09:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Cybercriminal Group Spying On US, European Businesses For Profit

Symantec, Kaspersky Lab spot Morpho' hacking team that hit Apple, Microsoft, Facebook and Twitter expanding its targets to lucrative industries for possible illegal trading purposes.

A team of attackers tied to previous hacks of Apple, Facebook, Microsoft, and Twitter, has quietly expanded its cyber espionage operation to snooping on and stealing intellectual property from multi-billion dollar firms in the pharmaceutical, software, Internet, oil and metal mining commodities sectors in the US, Europe, and Canada.

But unlike most cyber espionage groups, this is no nation state-sponsored hacking operation. According to researchers at Symantec who have been investigating the so-called Morpho organization for the past two years, this cyberspying operation appears to be run by an organized crime ring with possible US ties. Some 49 different organizations across 20 nations, most in the US, have been hit by the Morpho group, which mainly has set its sights on the victim organizations' Microsoft Exchange and Lotus Domino email servers to spy on corporate correspondence or possibly insert phony emails.

And unlike China's cyber espionage MO of stealing intellectual property to then pass on to its own companies to manufacture copycat products and technologies, these cyberspies appear to be in the business to make money based on a company's R&D or other business moves. "There are two theories, that they are stealing the data for themselves, or selling it to someone else," says Vikram Thakur, principal research manager on Symantec’s Security Response team. "But it's more likely that they are using the information to make investments … buying stocks" for financial gain, he says.

One common thread in the attacks at victim organizations who have shared some details on the attacks with Symantec's team is that the Morpho group hit R&D-related computer systems in these firms. Such futuristic intel indeed would be valuable to an investor. "These were being used for research and innovation, forward-looking purposes," Thakur says. "It may not be the only information they got, but this was a common theme among victims."

Morpho's operations are reminiscent of that of the so-called FIN4 hacking group first exposed last year by FireEye. FireEye says FIN4 targets the email accounts of corporate executives and is focused on stealing merger & acquisition information as well as other potentially valuable intel for use in illegal trading. FIN4 doesn't infect victims with malware, but instead steals usernames and passwords to gain access to corporate emails. The SEC reportedly is investigating this activity.

But Morpho and FIN4 are separate operations, Symantec's Thakur says. "Morpho is leaps and bounds ahead on what it's [doing], how it goes after [its targets], and how it covers its tracks," he says.

Cyber espionage traditionally has been the domain of nation-states spying on one another to gather diplomatic, military, or in the case of China, to pilfer intellectual property to boost its own businesses.

[The St. Louis Cardinals' alleged breach of the Astros' proprietary database raises concern over the possibility of US companies hacking their rivals for intel. Read Houston Astros' Breach A 'Wake-Up Call' On Industrial Cyber Espionage.]

Kaspersky Lab today also published a report on Morpho, which it calls "Wild Neutron." According to Kaspersky, the gang also uses a stolen valid code certificate, and a zero-day Flash Player exploit to infect victims. 

Costin Raiu, director of Kaspersky's global research and analysis team, says the gang has been active since 2011, and has hit other interesting targets: "The group’s targeting of major IT companies, spyware developers (FlexiSPY), jihadist forums (the "Ansar Al-Mujahideen English Forum") and Bitcoin companies indicate a flexible yet unusual mindset and interests," Raiu says.

Meanwhile, Morpho and FIN4 may be the tip of the iceberg on cyber espionage as a tool for illegal trading purposes. "I think this could probably have been going on for a few years. In the coming months, we are bound to see more threats uncovered that fall into the same bucket," Symantec's Thakur says.

"It's like a Stuxnet moment," revealing yet another way hacking is used for high-stakes gains, according to Thakur.

How Morpho Morphed

Symantec's Thakur says his team noticed a relationship between the malware used in the 2013 wave of attacks on Apple, Facebook, Microsoft, and Twitter, and some malware that dated back to March 2012. "The malware used in 2013 was the same as the malware in 2012. We could see [Morpho] literally only had one infection at one point in time" then, Thakur says.

But Morpho morphed its operations such that it infects more than one victim at a time. Even so, its malware hasn't changed much, mainly because the attacks are relatively fast and furious: "They are in a victim's machine a very short amount of time. In less than 12 hours, they stole one gig of data, and used shredding tools" to hide their tracks in one case, Thakur says.

The attacks on Apple and the other big-name tech companies used a Mac OS X backdoor (OSX.Pintsized) and a Windows backdoor (Backdoor.Jiripbot). Although Morpho has mostly tweaked its malware, it has since added a trove of other hacking tools (also custom-made and under the family name of Hacktool), including its own version of OpenSSH called "Hacktool.Securetunnel" that sends the victim machine the command & control server's address and port for communication; a tool that appears to locate vulnerable printer, HTTP, or other servers on the network; a proxy connection tool; and the so-called "Hacktool.Multipurpose" that can edit event logs to cover its tracks, grab passwords, delete and encrypt files.

But like most cyber espionage campaigns, Morpho uses watering-hole attacks to snap up victims, and has used a couple of zero-day attacks. "We see that kind of thing very often … Where they are very good is in their opsec," Thakur says. They steal, shred, and get out of the victim's machine quickly, and the C&C uses multiple layers before connecting to the victim's machine. "So this group knows how to cover their tracks," he says.

Symantec believes the group is an organized crime operation with at least two business units: one that does the hacking and has the tech know-how to cover its tracks, and other that orders the hackers on who to target and then takes the stolen information and monetizes it. The attackers appear to be native English speakers, and work during US business hours.

Among its victims--which Symantec did not name--are five additional technology firms (most in the US), three major European pharmaceutical companies, gold and oil commodities firms, and law firms that specialize in the industies in which Morpho is targeting. In the case of one tech company, the attackers hacked the firm's physical security system, which would have given them a way to track an employee's movements and even spy on them via a video feed, according to Symantec.

Symantec has reported its findings to law enforcement, Thakur says.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MastroMastro
50%
50%
MastroMastro,
User Rank: Apprentice
7/8/2015 | 3:00:02 PM
Trends
It's very interesting to see what sound like contractors and traders deploying methods typically associated with state-backed threats for financial gain. One minor correction though - the group FIN4 do use malware, and there is a recent report on it titled "UnFIN4ished Business" -> pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.html
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16966
PUBLISHED: 2019-10-21
An issue was discovered in Contactmanager 13.x before 13.0.45.3, 14.x before 14.0.5.12, and 15.x before 15.0.8.21 for FreePBX 14.0.10.3. In the Contactmanager class (html\admin\modules\contactmanager\Contactmanager.class.php), an unsanitized group variable coming from the URL is reflected in HTML on...
CVE-2019-9491
PUBLISHED: 2019-10-21
Trend Micro Anti-Threat Toolkit (ATTK) versions 1.62.0.1218 and below have a vulnerability that may allow an attacker to place malicious files in the same directory, potentially leading to arbitrary remote code execution (RCE) when executed.
CVE-2019-16964
PUBLISHED: 2019-10-21
app/call_centers/cmd.php in the Call Center Queue Module in FusionPBX up to 4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated attackers (with at least the permission call_center_queue_add or call_center_queue_edit) to execute any comma...
CVE-2019-16965
PUBLISHED: 2019-10-21
resources/cmd.php in FusionPBX up to 4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated administrative attackers to execute any commands on the host as www-data.
CVE-2019-18203
PUBLISHED: 2019-10-21
On the RICOH MP 501 printer, HTML Injection and Stored XSS vulnerabilities have been discovered in the area of adding addresses via the entryNameIn and KeyDisplay parameter to /web/entry/en/address/adrsSetUserWizard.cgi.