Spy gang that compromised U.S. tech giants still active years later

The group, Morpho, continues its corporate espionage activities, and has been linked to the 2013 attacks on Apple, Microsoft, Facebook and Twitter.
The group, Morpho, continues its corporate espionage activities, and has been linked to the 2013 attacks on Apple, Microsoft, Facebook and Twitter.

Researchers believe that a cyberespionage group, linked to highly-publicized attacks on U.S. tech firms in 2013, has remained active since those incidents and has impacted 49 organizations in more than 20 countries throughout its operation.

Ongoing attacks by the group, known as Morpho, were detailed by security firm Symantec in a white paper (PDF) and Wednesday blog post. According to the company, the gang's activities appear to be financially motivated, as opposed to actions by a state-sponsored attack group, though Morpho is “technically proficient and well resourced," the firm pointed out.

In fact, since the high-profile attacks on Facebook, Apple, Microsoft and Twitter in 2013, five other large, technology companies based in the U.S. have been compromised by the group, Symantec revealed. In addition, analysts observed attacks on three, major European pharmaceutical firms, linked to the group.

Between 2012 and 2015, the primary industries targeted by Morpho were the technology, legal, pharmaceutical and commodities sectors, with the most recent attack seen against the Central Asian offices of an unnamed “global law firm” hit in June. The Morpho gang's primary tools still consist of two backdoors used in the 2013 attacks on tech giants: OSX.Pintsized targeting Mac computers and Backdoor.Jiripbot infecting Windows machines.

Symantec noted, however, that Morpho has since developed an arsenal of custom hacking tools, called Securetunnel, Bannerjack and Eventlog, which, respectively send C2 server information to infected computers; retrieve default messages issued by Telnet, HTTP and generic TCP servers; and parse event logs for attackers. Another tool called Proxy.A “is used to create a proxy connection that will allow attackers to route traffic through an intermediary node, onto their destination mode,” the blog post explained.

In Wednesday email correspondence with SCMagazine.com, a Symantec spokeswoman said that, while major U.S. companies are under attack all the time, the research team found that “Morpho's technical sophistication is something rarely seen in cybercrime groups.”

Page 1 of 2
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS