pixel_dreams - Fotolia

Symantec uncovers Morpho cyber espionage operation

A cyber espionage group has targeted high-profile technology, internet, commodities and pharmaceutical companies in the US, Europe and Canada, reports Symantec

Symantec has uncovered a new corporate espionage group, dubbed Morpho, that has compromised a string of major corporations in recent years.

Targets include high-profile technology, internet, commodities and pharmaceutical companies located or headquartered in the US, Europe and Canada.

Technology firms targeted by the Morpho espionage group for confidential information and intellectual property (IP) include Facebook, Twitter, Microsoft and Apple.

According to a Symantec report, Morpho is an independent group that operates at a much higher level than the average cyber crime gang.

Investigators said the group’s members are technically proficient, well-resourced and financially motivated.

Indications are that the group is selling information to the highest bidder or may be operating as hackers for hire. The report said stolen information could also be used for insider trading purposes.

It added that Morpho’s capabilities mirror some of the most advanced nation-state attackers and attacks have exploited at least one zero-day vulnerability, but Symantec believes it is run by fewer than 10 people.

Morpho developed a custom suite of malware, and little to no trace of its presence is left after an attack, allowing the group to keep a low profile.

But according to Symantec, the first signs of Morpho’s activities emerged in 2013, when several major technology and internet firms were compromised.

Twitter, Facebook, Apple and Microsoft disclosed that they had been compromised by very similar attacks that infected targets using a Java zero-day exploit through a compromised website popular with mobile developers.

The malware used in these attacks was a Mac OS X back door known as OSX.Pintsized. Subsequent analysis by security researcher Eric Romang identified a Windows back door, Backdoor.Jiripbot, which was also used in the attacks.

Following this flurry of publicity, the Morpho group slipped back into the shadows. However, an investigation by Symantec has revealed that the group has been active since at least March 2012 and its attacks have not only continued to the present day, but have also increased in number.

Read more about cyber espionage

Symantec has to date discovered 49 different organisations in more than 20 countries that have been attacked by Morpho. Over time, a picture has emerged of a cyber crime gang systematically targeting large corporations to steal confidential data.

In addition to the four large technology companies that have acknowledged attacks, Symantec has identified five others compromised by Morpho, mainly headquartered in the US.

Investigators also found that Morpho has attacked three major European pharmaceutical firms. In the first attack, the attackers gained a foothold by first attacking a small European office belonging to one firm and using this infection to then move on to its US office and European headquarters.

This attack method appears to have been used in the two subsequent attacks on big pharma firms, with Morpho compromising computers in a number of regional offices before being discovered.

Morpho has also shown an interest in the commodities sector, attacking two major companies involved in gold and oil in late 2014. In addition to this, the central Asian offices of a global law firm were compromised in June 2015.

Morpho appears to have a good working knowledge of the organisations it is attacking and is focused on stealing specific kinds of information.

In many attacks, the group has succeeded in compromising Microsoft Exchange or Lotus Domino email servers to intercept company emails and possibly use them to send counterfeit emails.

The group has also attacked enterprise content management systems, which would often be home to legal and policy documents, financial records, product descriptions and training documents.

In some instances, the group has zoned in on specialist systems. For example, one attack saw it gain access to a physical security information management (PSIM) system, which is used for managing and monitoring physical security systems, including swipe card access. This could have provided the attackers with access to CCTV feeds, allowing them to track the movement of people around buildings.

Malware tools

According to the report, Morpho has a number of malware tools at its disposal, all of which appear to be internally developed. Each tool is well documented, indicating that a group rather than an individual is responsible for the attacks.

Its primary tools are two back door-type Trojans. OSX.Pintsized is capable of opening a back door on Mac OS X computers. Its Windows counterpart is Backdoor.Jiripbot, which has shown signs of continuous development over the past two years.

Morpho has also developed a number of its own hacking tools. Hacktool.Securetunnel is a modified version of OpenSSH which contains additional code to pass a command and control server address, and port to a compromised computer.

Hacktool.Bannerjack, meanwhile, is used to retrieve default messages issued by Telnet, HTTP, and generic TCP servers. Symantec believes it is used to locate any potentially vulnerable servers on the local network, likely including printers, routers, HTTP servers and any other generic TCP server.

Morpho uses Hacktool.Multipurpose to help it move across a compromised networking by editing event logs to hide activity, dumping passwords, securely deleting files, encrypting files, and carrying out basic network enumeration.

The group uses Hacktool.Eventlog to parse event logs, dumping out ones of interest and also deleting entries. It will also kill processes and perform a secure self-delete. Hacktool.Proxy.A is used to create a proxy connection that will allow attackers to route traffic through an intermediary node, onto their destination node.

According to Symantec, Morpho is a disciplined, technically capable group with a high level of operational security. The group has managed to increase its level of activity over the past three years while maintaining a low profile.

Symantec said the group poses a threat that ought to be taken seriously by corporations. 

Prior to Morpho, the report said most documented cyber espionage attacks had been conducted against politically sensitive entities such as embassies, government ministries, central banks, dissidents, militaries and associated defence contractors.

“Morpho is a timely reminder to organisations that was well as defending against state-sponsored attacks, they need to be aware of the potential threat of corporate espionage,” the report said.

Read more on Hackers and cybercrime prevention

Data Center
Data Management