Financially Motivated Espionage Group Targets Multi-Billion Dollar Firms

Researchers Analyze the Activities of the Group That Targeted Microsoft, Apple, Twitter and Facebook 

Researchers have analyzed the activities of a financially motivated corporate espionage group that has targeted a large number of high profile organizations from all across the world.

Known as “Morpho” and “Wild Neutron,” the group has been active since at least 2011, according to a report published on Wednesday by Kaspersky Lab. The threat actor is best known for the 2013 attacks on Apple, Microsoft, Twitter and Facebook.

The attackers breached these companies with the aid of hacked forums that served as watering holes, Java zero-day exploits, and Windows/Mac OS X backdoors. After penetrating the systems of these tech giants, the group went silent for nearly a year.

The cybercroooks picked up their activities in late 2013 and early 2014 and they have since targeted numerous organizations, including law firms, Bitcoin companies, real estate companies, investment companies, individual users, and organizations in the IT and healthcare sectors, said Kaspersky.

Kaspersky’s investigation revealed victims in 11 countries, including France, Russia, Switzerland, Germany, Austria, Palestine, Slovenia, Kazakhstan, UAE, Algeria and the United States.

“The focus of these attacks suggests this is not a nation-state sponsored actor. However, the use of zero-days, multi-platform malware as well as other techniques makes us believe it’s a powerful entity engaged in espionage, possibly for economic reasons,” Kaspersky researchers wrote in their report.

Symantec has also analyzed this threat actor’s activities. The security firm says it has observed a total of 49 victims spread across 20 countries since March 2012 when it started monitoring the group. Most of these victims are located in the United States, Europe and Canada.

According to Symantec, the attackers have targeted five large tech firms in addition to Apple, Microsoft, Twitter and Facebook. They have also attacked three major pharmaceutical firms in Europe, and organizations in the commodities sector.

The group has targeted email servers, enterprise content management systems, and specialist systems such as Physical Security Information Management (PSIM) platforms.

“Based on the profile of the victims and the type of information targeted by the attackers, Symantec believes that Morpho is financially motivated, stealing information it can potentially profit from. The group appears to be agnostic about the nationality of its targets, leading us to believe that Morpho is unaffiliated to any nation state,” Symantec said.

The threat group leverages several tools to carry out its activities, including internally developed malware and open source applications. Their main tools are two backdoor Trojans, detected by security firms as Pintsized (the variant for OS X) and Jripbot (the variant for Windows).

According to Kaspersky, the cybercriminals appear to be leveraging an unknown Flash Player exploit in their attacks. Another interesting aspect is the use of stolen Acer Incorporated digital certificates for signing malware droppers.

Attribution is a difficult task, but Symantec has pointed out that the malware used by the group is documented in fluent English, and at least some members seem to have knowledge of English-speaking pop culture.

Kaspersky is providing detailed attribution data only to its Intelligence Services customers. However, the company has revealed that it has identified a Romanian language string in some of the malware samples it has analyzed. Researchers have also identified a string that is the Latin transcription of a Russian word.