Oil, Pharma Firms Spying Victims

Monday, July 13, 2015 @ 03:07 PM gHale

Oil, pharmaceutical, metal mining, software, and Internet-centric multi-billion dollar companies are now the focus of a team of hackers looking to spy on and steal any and all intellectual property, researchers said.

The group originally tied to Apple, Facebook, Microsoft, and Twitter, expanded its cyber espionage operation. They mainly focused on companies in the U.S., Europe, and Canada.

Breaking System Down to Find APT
Security Schism Front and Center
Cyber Incidents Down; Reporting Declines
Insider Attacks Rise, Unaware of Risk

But unlike most cyber espionage groups, this is not a nation state-sponsored operation, according to researchers at Symantec who have been investigating the Morpho organization for the past two years.

This appears to be an organized crime ring with possible U.S. ties. Research found 49 different organizations, most in the U.S., across 20 countries suffered a hit by the Morpho group, which focuses on the Microsoft Exchange and Lotus Domino email servers to spy on corporate correspondence or possibly insert phony emails.

And unlike China’s stealing intellectual property to then pass on to its own companies to manufacture copycat products and technologies, these spies appear to be in the business to make money based on a company’s R&D or other business moves.

“There are two theories, that they are stealing the data for themselves, or selling it to someone else,” said Vikram Thakur, principal research manager on Symantec’s Security Response team. “But it’s more likely that they are using the information to make investments … buying stocks” for financial gain, he said.

One common thread in the attacks at victim organizations who have shared some details on the attacks with Symantec’s team is the Morpho group hit R&D-related computer systems in these firms. Such futuristic intelligence indeed would be valuable to an investor.

Kaspersky Lab also published a report on Morpho, which it calls “Wild Neutron.” According to Kaspersky, the gang uses a stolen valid code certificate, and a Zero Day Flash Player exploit to infect victims.

Costin Raiu, director of Kaspersky’s global research and analysis team, said the gang has been active since 2011, and has hit other interesting targets: “The group’s targeting of major IT companies, spyware developers (FlexiSPY), jihadist forums (the “Ansar Al-Mujahideen English Forum”) and Bitcoin companies indicate a flexible yet unusual mindset and interests,” Raiu said.

They have been infecting high profile companies for several years by using a combination of exploits, watering holes and multi-platform malware, researchers said.

Among its victims, which Symantec did not name, are five additional technology firms (most in the U.S.), three major European pharmaceutical companies, gold and oil commodities firms, and law firms that specialize in the industries in which Morpho is targeting. In the case of one tech company, the attackers hacked the firm’s physical security system, which would have given them a way to track an employee’s movements and even spy on them via a video feed, according to Symantec.