According to new research from the largest USA security software vendor, Symantec Corp, the group appears to be among the few that display significant talent without backing from a national government.
Advertisement
American companies have so far been the most popular victims for Morpho, with at least 17 companies attacked in the U.S. Meanwhile, 12 European and four Canadian companies have also been targeted.
Vikram Thakur, senior manager at Symantec, indicated that several of these groups are being tracked and their methods analysed.
The group, which security researchers from Kaspersky Lab and Symantec call Wild Neutron or Morpho, has broken into the networks of over 45 large companies since 2012.
FIN4 is known to have less technical skill but uses knowledge of the investment banking world and strong social engineering, or trickery, to harvest email credentials and discover material financial information.
A “watering hole” approach was used by Morpho, which infects websites that were likely to attract employees of its targets as visitors. The hacking collective has been known to target iPhone developers as well as the pharmaceutical and aviation industries.
Initially, it was thought that China was behind these attacks, but as it turns out, Apple stated that no data was stolen from these breaches.
Following this flurry of publicity, the Morpho group slipped back into the shadows.
After the 2013 attacks against Twitter, Facebook, Apple and Microsoft were highly publicized, the group went underground and temporarily halted its activity. The use of encryption to hide where they’ve stored stolen information also makes the job of law enforcement more challenging.
On its blog, Symantec explains, “Morpho is a disciplined, technically capable group with a high level of operational security”. As seen on the map above, a third of the cyberattacks were on companies based in the US; Europe and Canada came in second and third. – Symantec reports on their site. Thakur adds that the Morpho group has around 10 members in its organization within which some have a good hold of their English while one of them may even have worked at an intelligence agency. The Federal Bureau of Investigation declined to comment when asked by Reuters, while all the tech companies also declined to discuss the research or any implications. Symantec is aware of 49 organisations that have been breached by Morpho since 2012, with numbers rising each year.
Advertisement
Symantec noted, however, that Morpho has since developed an arsenal of custom hacking tools, called Securetunnel, Bannerjack and Eventlog, which, respectively send C2 server information to infected computers; retrieve default messages issued by Telnet, HTTP and generic TCP servers; and parse event logs for attackers.
