High-brow Corporate Spies like Morpho may still be active

INDIA: Word is out that a corporate espionage group has compromised a string of major corporations over the past three years in order to steal confidential information and intellectual property.

The gang, which Symantec calls Morpho, is not-state sponsored, rather financially motivated. It has attacked multi-billion dollar companies operating in the internet, IT software, pharmaceutical and commodities sectors, as an update by Symantec informs. Twitter, Facebook, Apple and Microsoft are among the companies who have publicly acknowledged attacks.

Morpho is explained as technically proficient and well resourced. The group has developed a suite of custom malware tools capable of attacking both Windows and Apple computers, and appears to have used at least one zero day vulnerability in its attacks. After successfully compromising a target organization, it will clean up after itself before moving on to its next target.

This group, as further explained, operates at a much higher level than the average cybercrime gang. It is not interested in stealing credit card details or customer databases and is instead focused on high level corporate information. Morpho may be selling this information to the highest bidder or may be operating as hackers for hire. Stolen information could also be used for insider trading purposes.A history of ambitious attacks.

The first signs of Morpho’s activities emerged in early 2013 when several major of technology and internet firms were compromised. Twitter, Facebook, Apple and Microsoft disclosed that they had been compromised by very similar attacks. The attackers infected victims by compromising a website used by mobile developers and using a Java zero day exploit to infect them with malware.

The malware used in these attacks was a Mac OS X back door known as OSX.Pintsized. Subsequent analysis by security researcher Eric Romang identified a Windows back door,Backdoor.Jiripbot , which was also used in the attacks.

Following this flurry of publicity, the Morpho group slipped back into the shadows. However, an investigation by Symantec has found that the group has been active since at least March 2012 and its attacks have not only continued to the present day, but have also increased in number. Symantec has to date discovered 49 different organizations in more than 20 countries that have been attacked by Morpho. Over time, a picture has emerged of a cybercrime gang systematically targeting large corporations in order to steal confidential data.

Aside from the four companies who have publicly acknowledged attacks, Symantec has identified five other large technology firms compromised by Morpho, primarily headquartered in the US.

However, technology is not the only sector the group has focused on and Symantec has found evidence that Morpho has attacked three major European pharmaceutical firms. In the first attack, the attackers gained a foothold by first attacking a small European office belonging to one firm and using this infection to then move on to its US office and European headquarters. This template appeared to be followed in the two subsequent attacks on big pharma firms, with Morpho compromising computers in a number of regional offices before being discovered.

Morpho has also shown an interest in the commodities sector, attacking two major companies involved in gold and oil in late 2014. In addition to this, the Central Asian offices of a global law firm were compromised in June 2015. The company specializes in finance and natural resources specific to that region. The latter was one of at least three law firms the group has targeted over the past three years.

Morpho appears to have a good working knowledge of the organizations it is attacking and is focused on stealing specific kinds of information. In many attacks, the group has succeeded in compromising Microsoft Exchange or Lotus Domino email servers in order to intercept company emails and, possibly use them to send counterfeit emails.

The group has also attacked enterprise content management systems, which would often be home to legal and policy documents, financial records, product descriptions and training documents.

In some instances, the group has zoned in on specialist systems. For example, one attack saw it gain access to a Physical Security Information Management (PSIM) system, which is used for managing and monitoring physical security systems, including swipe card access.

This could have provided the attackers with access to CCTV feeds, allowing them to track the movement of people around buildings. Based on the profile of the victims and the type of information targeted by the attackers, Symantec believes that Morpho is financially motivated, stealing information it can potentially profit from. The group appears to be agnostic about the nationality of its targets, leading us to believe that Morpho is unaffiliated to any nation state.

The group’s malware is documented in fluent English, indicating that some of the group members, if not all, can speak the language. They also display some knowledge of English-speaking pop culture, such as using the meme AYBABTU (All your base are belong to us) as an encryption key in Backdoor.Jiripbot.

Command and control server activity is highest at times that correspond to the US working day, which may suggest some or all of the group are operating in this region. However, this could also be accounted for by the fact that many of the group’s victims are located in the US.

Morpho may profit from its attacks in a number of ways. The group may be operating as “hackers for hire”, targeting corporations on request. Alternatively, it may select its own targets and either sell stolen information to the highest bidder or use it for insider trading purposes.