Researchers believe that a cyberespionage group, linked to highly-publicized attacks on U.S. tech firms in 2013, has remained active since those incidents and has impacted 49 organizations in more than 20 countries throughout its operation.
Ongoing attacks by the group, known as Morpho, were detailed by security firm Symantec in a white paper (PDF) and Wednesday blog post. According to the company, the gang's activities appear to be financially motivated, as opposed to actions by a state-sponsored attack group, though Morpho is “technically proficient and well resourced," the firm pointed out.
In fact, since the high-profile attacks on Facebook, Apple, Microsoft and Twitter in 2013, five other large, technology companies based in the U.S. have been compromised by the group, Symantec revealed. In addition, analysts observed attacks on three, major European pharmaceutical firms, linked to the group.
Between 2012 and 2015, the primary industries targeted by Morpho were the technology, legal, pharmaceutical and commodities sectors, with the most recent attack seen against the Central Asian offices of an unnamed “global law firm” hit in June. The Morpho gang's primary tools still consist of two backdoors used in the 2013 attacks on tech giants: OSX.Pintsized targeting Mac computers and Backdoor.Jiripbot infecting Windows machines.
Symantec noted, however, that Morpho has since developed an arsenal of custom hacking tools, called Securetunnel, Bannerjack and Eventlog, which, respectively send C2 server information to infected computers; retrieve default messages issued by Telnet, HTTP and generic TCP servers; and parse event logs for attackers. Another tool called Proxy.A “is used to create a proxy connection that will allow attackers to route traffic through an intermediary node, onto their destination mode,” the blog post explained.
In Wednesday email correspondence with SCMagazine.com, a Symantec spokeswoman said that, while major U.S. companies are under attack all the time, the research team found that “Morpho's technical sophistication is something rarely seen in cybercrime groups.”
“[The team has] observed fewer than five groups that operate at this level – particularly those that are independently run. Morpho operates near the level of many sophisticated nation-state attackers," the spokeswoman said.
The firm added in its blog post that Morpho, potentially a for-hire hacking group or one offering stolen data to the “highest bidder,” may be U.S.-based. Morpho's malware was “documented in fluent English,” and C2 server activity was highest during U.S. working hours, researchers said. Still, the latter finding "could also be accounted for by the fact that many of the group's victims are located in the U.S,” the blog post noted.
Of the 49 organizations attacked by Morpho since 2012, the majority were located in the U.S., throughout Europe and in Canada, Symantec found.
On Wednesday, Kaspersky also published separate findings on Morpho, which it calls “Wild Neutron.' It too attributed the 2013 attacks against Apple, Facebook, Twitter and Microsoft to the group, noting that the gang leveraged a Java zero-day exploit along with watering hole attacks (hacking forums visited by victims) to spread their malware.
The firm said in its blog that “compared to other APT groups, Wild Neutron is one of the most unusual ones we've analyzed and tracked.”
“Active since 2011, the group has been using at least one zero-day exploit, custom malware and tools, and managed to keep a relatively solid opsec which so far eluded most attribution efforts,” Kaspersky said.