Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Financially Motivated Espionage Group Targets Multi-Billion Dollar Firms

Researchers Analyze the Activities of the Group That Targeted Microsoft, Apple, Twitter and Facebook 

Researchers have analyzed the activities of a financially motivated corporate espionage group that has targeted a large number of high profile organizations from all across the world.

Researchers Analyze the Activities of the Group That Targeted Microsoft, Apple, Twitter and Facebook 

Researchers have analyzed the activities of a financially motivated corporate espionage group that has targeted a large number of high profile organizations from all across the world.

Known as “Morpho” and “Wild Neutron,” the group has been active since at least 2011, according to a report published on Wednesday by Kaspersky Lab. The threat actor is best known for the 2013 attacks on Apple, Microsoft, Twitter and Facebook.

The attackers breached these companies with the aid of hacked forums that served as watering holes, Java zero-day exploits, and Windows/Mac OS X backdoors. After penetrating the systems of these tech giants, the group went silent for nearly a year.

The cybercroooks picked up their activities in late 2013 and early 2014 and they have since targeted numerous organizations, including law firms, Bitcoin companies, real estate companies, investment companies, individual users, and organizations in the IT and healthcare sectors, said Kaspersky.

Kaspersky’s investigation revealed victims in 11 countries, including France, Russia, Switzerland, Germany, Austria, Palestine, Slovenia, Kazakhstan, UAE, Algeria and the United States.

“The focus of these attacks suggests this is not a nation-state sponsored actor. However, the use of zero-days, multi-platform malware as well as other techniques makes us believe it’s a powerful entity engaged in espionage, possibly for economic reasons,” Kaspersky researchers wrote in their report.

Symantec has also analyzed this threat actor’s activities. The security firm says it has observed a total of 49 victims spread across 20 countries since March 2012 when it started monitoring the group. Most of these victims are located in the United States, Europe and Canada.

Advertisement. Scroll to continue reading.

According to Symantec, the attackers have targeted five large tech firms in addition to Apple, Microsoft, Twitter and Facebook. They have also attacked three major pharmaceutical firms in Europe, and organizations in the commodities sector.

The group has targeted email servers, enterprise content management systems, and specialist systems such as Physical Security Information Management (PSIM) platforms.

“Based on the profile of the victims and the type of information targeted by the attackers, Symantec believes that Morpho is financially motivated, stealing information it can potentially profit from. The group appears to be agnostic about the nationality of its targets, leading us to believe that Morpho is unaffiliated to any nation state,” Symantec said.

The threat group leverages several tools to carry out its activities, including internally developed malware and open source applications. Their main tools are two backdoor Trojans, detected by security firms as Pintsized (the variant for OS X) and Jripbot (the variant for Windows).

According to Kaspersky, the cybercriminals appear to be leveraging an unknown Flash Player exploit in their attacks. Another interesting aspect is the use of stolen Acer Incorporated digital certificates for signing malware droppers.

Attribution is a difficult task, but Symantec has pointed out that the malware used by the group is documented in fluent English, and at least some members seem to have knowledge of English-speaking pop culture.

Kaspersky is providing detailed attribution data only to its Intelligence Services customers. However, the company has revealed that it has identified a Romanian language string in some of the malware samples it has analyzed. Researchers have also identified a string that is the Latin transcription of a Russian word.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.