Cybercriminal Group Spying On US, European Businesses For Profit
Symantec, Kaspersky Lab spot Morpho hacking team that hit Apple, Microsoft, Facebook and Twitter expanding its targets to lucrative industries for possible illegal trading purposes.
A team of attackers tied to previous hacks of Apple, Facebook, Microsoft, and Twitter, has quietly expanded its cyber espionage operation to snooping on and stealing intellectual property from multi-billion dollar firms in the pharmaceutical, software, Internet, oil and metal mining commodities sectors in the US, Europe, and Canada.
But unlike most cyber espionage groups, this is no nation state-sponsored hacking operation. According to researchers at Symantec who have been investigating the so-called Morpho organization for the past two years, this cyberspying operation appears to be run by an organized crime ring with possible US ties. Some 49 different organizations across 20 nations, most in the US, have been hit by the Morpho group, which mainly has set its sights on the victim organizations Microsoft Exchange and Lotus Domino email servers to spy on corporate correspondence or possibly insert phony emails.
And unlike Chinas cyber espionage MO of stealing intellectual property to then pass on to its own companies to manufacture copycat products and technologies, these cyberspies appear to be in the business to make money based on a companys R&D or other business moves. There are two theories, that they are stealing the data for themselves, or selling it to someone else, says Vikram Thakur, principal research manager on Symantec’s Security Response team. But its more likely that they are using the information to make investments … buying stocks for financial gain, he says.
One common thread in the attacks at victim organizations who have shared some details on the attacks with Symantecs team is that the Morpho group hit R&D-related computer systems in these firms. Such futuristic intel indeed would be valuable to an investor. These were being used for research and innovation, forward-looking purposes, Thakur says. It may not be the only information they got, but this was a common theme among victims.
Morphos operations are reminiscent of that of the
so-called FIN4 hacking group
first exposed last year by FireEye. FireEye says FIN4 targets the email accounts of corporate executives and is focused on stealing merger & acquisition information as well as other potentially valuable intel for use in illegal trading. FIN4 doesnt infect victims with malware, but instead steals usernames and passwords to gain access to corporate emails. The SEC reportedly is investigating this activity.
But Morpho and FIN4 are separate operations, Symantecs Thakur says. Morpho is leaps and bounds ahead on what its [doing], how it goes after [its targets], and how it covers its tracks, he says.
Cyber espionage traditionally has been the domain of nation-states spying on one another to gather diplomatic, military, or in the case of China, to pilfer intellectual property to boost its own businesses.
[The St. Louis Cardinals alleged breach of the Astros proprietary database raises concern over the possibility of US companies hacking their rivals for intel. Read
Houston Astros Breach A Wake-Up Call On Industrial Cyber Espionage
.]
Kaspersky Lab today
also published a report on Morpho, which it calls Wild Neutron
. According to Kaspersky, the gang also uses a stolen valid code certificate, and a zero-day Flash Player exploit to infect victims.
Costin Raiu, director of Kasperskys global research and analysis team, says the gang has been active since 2011, and has hit other interesting targets: The group’s targeting of major IT companies, spyware developers (FlexiSPY), jihadist forums (the Ansar Al-Mujahideen English Forum) and Bitcoin companies indicate a flexible yet unusual mindset and interests, Raiu says.
Meanwhile, Morpho and FIN4 may be the tip of the iceberg on cyber espionage as a tool for illegal trading purposes. I think this could probably have been going on for a few years. In the coming months, we are bound to see more threats uncovered that fall into the same bucket, Symantecs Thakur says.
Its like a Stuxnet moment, revealing yet another way hacking is used for high-stakes gains, according to Thakur.
How Morpho Morphed
Symantecs Thakur says his team noticed a relationship between the malware used in the 2013 wave of attacks on Apple, Facebook, Microsoft, and Twitter, and some malware that dated back to March 2012. The malware used in 2013 was the same as the malware in 2012. We could see [Morpho] literally only had one infection at one point in time then, Thakur says.
But Morpho morphed its operations such that it infects more than one victim at a time. Even so, its malware hasnt changed much, mainly because the attacks are relatively fast and furious: They are in a victims machine a very short amount of time. In less than 12 hours, they stole one gig of data, and used shredding tools to hide their tracks in one case, Thakur says.
The attacks on Apple and the other big-name tech companies used a Mac OS X backdoor (OSX.Pintsized) and a Windows backdoor (Backdoor.Jiripbot). Although Morpho has mostly tweaked its malware, it has since added a trove of other hacking tools (also custom-made and under the family name of Hacktool), including its own version of OpenSSH called Hacktool.Securetunnel that sends the victim machine the command & control servers address and port for communication; a tool that appears to locate vulnerable printer, HTTP, or other servers on the network; a proxy connection tool; and the so-called Hacktool.Multipurpose that can edit event logs to cover its tracks, grab passwords, delete and encrypt files.
But like most cyber espionage campaigns, Morpho uses watering-hole attacks to snap up victims, and has used a couple of zero-day attacks. We see that kind of thing very often … Where they are very good is in their opsec, Thakur says. They steal, shred, and get out of the victims machine quickly, and the C&C uses multiple layers before connecting to the victims machine. So this group knows how to cover their tracks, he says.
Symantec believes the group is an organized crime operation with at least two business units: one that does the hacking and has the tech know-how to cover its tracks, and other that orders the hackers on who to target and then takes the stolen information and monetizes it. The attackers appear to be native English speakers, and work during US business hours.
Among its victims--which Symantec did not name--are five additional technology firms (most in the US), three major European pharmaceutical companies, gold and oil commodities firms, and law firms that specialize in the industies in which Morpho is targeting. In the case of one tech company, the attackers hacked the firms physical security system, which would have given them a way to track an employees movements and even spy on them via a video feed, according to Symantec.
Symantec has reported its findings to law enforcement, Thakur says.
Tags:
Cybercriminal Group Spying On US, European Businesses For Profit