A corporate espionage group has compromised a string of major corporations over the past three years in order to steal confidential information and intellectual property. Technology firms like Twitter, Facebook, Apple and Microsoft are among the companies who have publicly acknowledged attacks, said Symantec in a report.
The gang, which Symantec calls Morpho, is not state-sponsored, rather financially motivated. It has attacked multi-billion dollar companies operating in the internet, information technology (IT) software, pharmaceutical and commodities sectors. The group has developed a suite of custom malware tools capable of attacking both Windows and Apple computers, and appears to have used at least one zero day vulnerability in its attacks. It keeps a low profile and maintains good operational security. After successfully compromising a target organisation, it will clean up after itself before moving on to its next target.
The first signs of Morpho’s activities emerged in early 2013 when several major of technology and Internet firms were compromised. Twitter, Facebook, Apple and Microsoft closed that they had been compromised by very similar attacks. The attackers infected victims by compromising a website used by mobile developers and using a Java zero day exploit to infect them with malware, said the report. Following this flurry of publicity, the Morpho group slipped back into the shadows. However, an investigation by Symantec has found that the group has been active since at least March 2012 and its attacks have not only continued to the present day, but have also increased in number. Symantec has to date discovered 49 different organisations in more than 20 countries that have been attacked by Morpho.
More From This Section
Aside from the four companies who have publicly acknowledged attacks, Symantec has identified five other large technology firms compromised by Morpho, primarily headquartered in the US.
However, technology is not the only sector the group has focused on and Symantec has found evidence that Morpho has attacked three major European pharmaceutical firms. In the first attack, the attackers gained a foothold by first attacking a small European office belonging to one firm and using this infection to then move on to its US office and European headquarters. This template appeared to be followed in the two subsequent attacks on big pharma firms, with Morpho compromising computers in a number of regional offices before being discovered.
Based on the profile of the victims and the type of information targeted by the attackers, Symantec believes that Morpho is financially motivated, stealing information it can potentially profit from. The group appears to be agnostic about the nationality of its targets, leading us to believe that Morpho is unaffiliated to any nation state.
The report said: “Management system, which is used for managing and monitoring physical security systems, including swipe card access. This could have provided the attackers with access to CCTV feeds, allowing them to track the movement of people around buildings.”