Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Financially Motivated Espionage Group Targets Multi-Billion Dollar Firms

Researchers Analyze the Activities of the Group That Targeted Microsoft, Apple, Twitter and Facebook 

Researchers have analyzed the activities of a financially motivated corporate espionage group that has targeted a large number of high profile organizations from all across the world.

Researchers Analyze the Activities of the Group That Targeted Microsoft, Apple, Twitter and Facebook 

Researchers have analyzed the activities of a financially motivated corporate espionage group that has targeted a large number of high profile organizations from all across the world.

Known as “Morpho” and “Wild Neutron,” the group has been active since at least 2011, according to a report published on Wednesday by Kaspersky Lab. The threat actor is best known for the 2013 attacks on Apple, Microsoft, Twitter and Facebook.

The attackers breached these companies with the aid of hacked forums that served as watering holes, Java zero-day exploits, and Windows/Mac OS X backdoors. After penetrating the systems of these tech giants, the group went silent for nearly a year.

The cybercroooks picked up their activities in late 2013 and early 2014 and they have since targeted numerous organizations, including law firms, Bitcoin companies, real estate companies, investment companies, individual users, and organizations in the IT and healthcare sectors, said Kaspersky.

Kaspersky’s investigation revealed victims in 11 countries, including France, Russia, Switzerland, Germany, Austria, Palestine, Slovenia, Kazakhstan, UAE, Algeria and the United States.

“The focus of these attacks suggests this is not a nation-state sponsored actor. However, the use of zero-days, multi-platform malware as well as other techniques makes us believe it’s a powerful entity engaged in espionage, possibly for economic reasons,” Kaspersky researchers wrote in their report.

Symantec has also analyzed this threat actor’s activities. The security firm says it has observed a total of 49 victims spread across 20 countries since March 2012 when it started monitoring the group. Most of these victims are located in the United States, Europe and Canada.

Advertisement. Scroll to continue reading.

According to Symantec, the attackers have targeted five large tech firms in addition to Apple, Microsoft, Twitter and Facebook. They have also attacked three major pharmaceutical firms in Europe, and organizations in the commodities sector.

The group has targeted email servers, enterprise content management systems, and specialist systems such as Physical Security Information Management (PSIM) platforms.

“Based on the profile of the victims and the type of information targeted by the attackers, Symantec believes that Morpho is financially motivated, stealing information it can potentially profit from. The group appears to be agnostic about the nationality of its targets, leading us to believe that Morpho is unaffiliated to any nation state,” Symantec said.

The threat group leverages several tools to carry out its activities, including internally developed malware and open source applications. Their main tools are two backdoor Trojans, detected by security firms as Pintsized (the variant for OS X) and Jripbot (the variant for Windows).

According to Kaspersky, the cybercriminals appear to be leveraging an unknown Flash Player exploit in their attacks. Another interesting aspect is the use of stolen Acer Incorporated digital certificates for signing malware droppers.

Attribution is a difficult task, but Symantec has pointed out that the malware used by the group is documented in fluent English, and at least some members seem to have knowledge of English-speaking pop culture.

Kaspersky is providing detailed attribution data only to its Intelligence Services customers. However, the company has revealed that it has identified a Romanian language string in some of the malware samples it has analyzed. Researchers have also identified a string that is the Latin transcription of a Russian word.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Raffi Joukhadarian has been named Managing Director and Chief Financial Officer at MorganFranklin Cyber.

Data security firm Rubrik has appointed Kavitha Mariappan as its Chief Transformation Officer.

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.