A hacking group that attacked large technology companies, such as Facebook, Apple and Microsoft, three years ago, has resurfaced again to target corporate secrets, as SCMagazineUK.com first reported yesterday. However, the motives behind the group remain uncertain.
While most cyber-criminals go after credit card information and databases, as these tend to be easily turned into revenues for criminals, the group, known as either Morpho or Wild Neutron, have targeted intellectual property (IP) and high-level corporate data.
First spotted in 2012, the group carried out a spate of attacks in 2013 before going into hiding for a year. Another series of attacks happened in 2014, this time with greater intensity.
The group's modus operandi is to install malware onto devices using the highly popular method of exploiting Adobe Flash Player, the malware comes signed with a legitimate security certificate, meaning it can easily bypass security software.
There is no firm knowledge of where the attacks are coming from other than speculation from Kaspersky that there are some links back to crime gangs within Europe.
Dr Guy Bunker of Clearswift told SCMagazineUK.com that one of biggest challenges of finding the group is working through the obfuscation that the internet allows hackers to create.
“Compromised systems inside reputable companies are often used as a relay for attacks to make it even more difficult to track the attacker,” said Bunker. “Unfortunately, the tools for anonymisation are readily available and include the well-known Tor (The Onion Ring) network.”
According to Dave Ashton, at independent security consultants Sec-1, the location, members and intent of Wild Neutron are unclear.
“What is known is that they are very knowledgeable and very creative,” he told SC. “The evolution of their malware is exactly what we would see in well organised corporate development teams. It is software development at its best which is increasing the difficulty of creating and managing effective security defences.”
So while where the attacks are from remain a mystery at the present time, the gang has targeted a wide range of sectors mostly, but not limited to, commercial ones.
“The targeting in waterhole-type attacks (attacker observes which websites the group often uses and infects one or more of them with malware to infect the end-user thereby negating the need for other types of intrusion) has typically been for intelligence leading to intellectual property or financial gain,” Gavin Reid, vice president of threat intelligence at Lancope told SC.
“The line between nation state actors and criminal gangs has long been blurry. Nation states use malware and techniques sold in the underground economy. Similarly outsourcing hacking to criminal gangs helps obscure attribution by having separation of actors, intent and source.”
Ashton said that by just looking at demographic of the known victims there doesn't appear to be a logical pattern in terms of industry or political orientation.
“What is apparent is that the victims tend to be busy sites such as the Apple Developer Forum that was breached,” he said. “Couple that with the uncovering of password harvesting tools in the payload it seems to suggest the objectives are to steal credentials for reuse in other applications such as Facebook, eBay, Amazon, and PayPal for example.”
But why are the cyber-criminals focusing on certain targets? Bunker said there are two primary reasons; money and dislike.
“From a monetary perspective, all information has a value to someone – obtaining it means the attackers can see it on to competitors or back to the company it came from (ransom). Of course it is not just about cyber-attackers who cause data breach issues, there are also malicious insiders as well as inadvertent breaches created by individuals doing ‘daft' things, e.g. sending an email to the wrong person.”
He added that the results are the same, information falls into the wrong hands – which has bad consequences for the organisation.