Hacker group that hit Twitter, Facebook, Apple and Microsoft intensifies attacks

The group has been stealing confidential information from large companies worldwide for the past three years

The hackers that targeted Twitter, Facebook, Apple and Microsoft developers two years ago have escalated their economic espionage efforts as they seek confidential business information and intellectual property they can profit from.

The group, which security researchers from Kaspersky Lab and Symantec call Wild Neutron or Morpho, has broken into the networks of over 45 large companies since 2012.

After the 2013 attacks against Twitter, Facebook, Apple and Microsoft were highly publicized, the group went underground and temporarily halted its activity. However, its attacks resumed in 2014 and have since intensified, according to separate reports released Wednesday by Kaspersky Lab and Symantec.

Symantec has identified 49 different organizations in over 20 countries that have fallen victim to the Morpho group since 2012. The majority of them were from the technology, pharmaceutical, commodities and legal sectors and were based in the U.S., Canada or Europe.

Kaspersky identified additional companies compromised by the group that are involved in Bitcoin cryptocurrency, investments, healthcare, real estate, merger and acquisition deals, as well as individual users.

The absence of government or diplomatic corps victims and other details led researchers from the two security vendors to the conclusion that the Morpho group is most likely not sponsored by a nation state. Instead, it's probably a highly sophisticated cybercrime gang that knows how to exploit the business information it obtains for financial gain, for example by selling it to the highest bidder or by profiting from it on the financial markets.

The group has used at least two zero-day exploits so far, one for Flash Player and one for Java, and also had access to a digital certificate stolen from Taiwanese electronics manufacturer Acer that it used to sign its malware programs. This suggests that the attackers have access to high-value intrusion tools and techniques.

When it targeted developers from technology and Internet companies in 2013 the group launched its attack from a compromised iOS development forum using a Java zero-day exploit. This technique of compromising a website that's visited by multiple intended targets is called a watering hole attack.

That same year the Morpho group used the same method with multiple discussion forums, including expatforum.com, forum.samdroid.net, emiratesmac,com, mygsmindia.com, and a Jihadist discussion board that's now closed, researchers from Kaspersky said in a blog post. The attack vector for the 2014 and 2015 attacks is not yet known, but there are clear indications that a Web-based exploit kit with a zero-day Flash Player exploit was used, they said.

If successful, these Web-based exploits install a custom computer backdoor developed by the group that has versions for Windows and Mac OS X. The attackers then use additional custom hacking tools to move laterally through the network and compromise additional computers, servers and other devices.

According to Symantec's researchers, the Morpho attackers often target regional offices of their intended victims and then move through their internal networks to access their additional locations and headquarters.

The attackers appear to be well informed about the companies they attack and the information they're searching for.

"In many attacks, the group has succeeded in compromising Microsoft Exchange or Lotus Domino email servers in order to intercept company emails and, possibly use them to send counterfeit emails," the Symantec researchers said in a blog post. "The group has also attacked enterprise content management systems, which would often be home to legal and policy documents, financial records, product descriptions and training documents."

In one case, the attackers compromised a Physical Security Information Management (PSIM) system, gaining access to door locks and CCTV camera feeds.

It's not clear where the group is based. According to Symantec, some, if not all of the group's members are fluent in English, which is evident from the malware's code. However, Kaspersky also found one string in Romanian and one in Russian in the command-and-control procedures.

Peaks of activity were observed on the malware's command-and-control servers that correspond with U.S. typical working hours. This could mean that some attackers are based in the U.S., but could also be because the majority of victims are from the U.S. and Canada, forcing attackers to work during that time interval.

"Morpho is a disciplined, technically capable group with a high level of operational security," the Symantec researchers said. "Having managed to increase its level of activity over the past three years whilst maintaining a low profile, the group poses a threat that ought to be taken seriously by corporations."

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags securityMicrosoftmalwareFacebookAppletwitterdata breachsymantecintrusionkaspersky labExploits / vulnerabilities

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?