Prolific Apple and Facebook hackers remain a mystery

News by Rene Millman

Motives behind the returning Morpho hacking group, also known as Wild Neutron, are still unclear.

A hacking group that attacked large technology companies, such as Facebook, Apple and Microsoft, three years ago, has resurfaced again to target corporate secrets, as first reported yesterday. However, the motives behind the group remain uncertain.

While most cyber-criminals go after credit card information and databases, as these tend to be easily turned into revenues for criminals, the group, known as either Morpho or Wild Neutron, have targeted intellectual property (IP) and high-level corporate data.

First spotted in 2012, the group carried out a spate of attacks in 2013 before going into hiding for a year. Another series of attacks happened in 2014, this time with greater intensity.

The group's modus operandi is to install malware onto devices using the highly popular method of exploiting Adobe Flash Player, the malware comes signed with a legitimate security certificate, meaning it can easily bypass security software.

There is no firm knowledge of where the attacks are coming from other than speculation from Kaspersky that there are some links back to crime gangs within Europe.

Dr Guy Bunker of Clearswift told that one of biggest challenges of finding the group is working through the obfuscation that the internet allows hackers to create.

“Compromised systems inside reputable companies are often used as a relay for attacks to make it even more difficult to track the attacker,” said Bunker. “Unfortunately, the tools for anonymisation are readily available and include the well-known Tor (The Onion Ring) network.”

According to Dave Ashton, at independent security consultants Sec-1, the location, members and intent of Wild Neutron are unclear.

“What is known is that they are very knowledgeable and very creative,” he told SC. “The evolution of their malware is exactly what we would see in well organised corporate development teams. It is software development at its best which is increasing the difficulty of creating and managing effective security defences.”

So while where the attacks are from remain a mystery at the present time, the gang has targeted a wide range of sectors mostly, but not limited to, commercial ones.

“The targeting in waterhole-type attacks (attacker observes which websites the group often uses and infects one or more of them with malware to infect the end-user thereby negating the need for other types of intrusion) has typically been for intelligence leading to intellectual property or financial gain,” Gavin Reid, vice president of threat intelligence at Lancope told SC.

“The line between nation state actors and criminal gangs has long been blurry. Nation states use malware and techniques sold in the underground economy. Similarly outsourcing hacking to criminal gangs helps obscure attribution by having separation of actors, intent and source.” 

Ashton said that by just looking at demographic of the known victims there doesn't appear to be a logical pattern in terms of industry or political orientation.

“What is apparent is that the victims tend to be busy sites such as the Apple Developer Forum that was breached,” he said. “Couple that with the uncovering of password harvesting tools in the payload it seems to suggest the objectives are to steal credentials for reuse in other applications such as Facebook, eBay, Amazon, and PayPal for example.”

But why are the cyber-criminals focusing on certain targets? Bunker said there are two primary reasons; money and dislike.

“From a monetary perspective, all information has a value to someone – obtaining it means the attackers can see it on to competitors or back to the company it came from (ransom). Of course it is not just about cyber-attackers who cause data breach issues, there are also malicious insiders as well as inadvertent breaches created by individuals doing ‘daft' things, e.g. sending an email to the wrong person.”

He added that the results are the same, information falls into the wrong hands – which has bad consequences for the organisation.

The other reason is dislike, according to Bunker. “I use this rather than extremism, idealism or hate, as these attacks are becoming more common (and they do include the latter as well.)”

Bunker said that some of the larger ones, such as those created by groups such as Wild Neutron do two things, to show that they are better than large corporate IT departments and to embarrass the organisations – by releasing information which may not have any material value (it's not a credit card, or even personally identifiable information), it could just be names.

“Think Sony – and the embarrassment caused by releasing the content of certain emails. Or Snowden and Manning – where this was about idealism and disagreement with what was being done – rather than be an extremist.”

Konrads Smelkovs, a manager in KPMG's cyber-security practice, said the most worrying part of these attacks is the discipline and thoughtfulness of the attackers.

“Use of multiple connection relays, secure deletion and awareness of limits of forensic recovery techniques,” he said. “That said, the toolkit and methods of attacks are not the height of sophistication and are within reach of anyone who can pay for 2-3 experienced software developers for 6 months to develop and refine the tooling.”

Smelkovs expects that within the next 12 to 18 months, similar reports will also come to light.

“Economic/cyber-espionage is here to stay and there are no significant political, legal or technological developments on the horizon that would inhibit operations of such groups. If anything – the relative impunity with which such groups operate show that you can get away with the crime and might increase demand for such services,” he said.

If firms are worried about such attacks, a good starting point is to understand of the threat actors and attack surface, According to Ashton.

“Take a look at your network infrastructure, your client workstations and the training you're giving your staff and ensure that it's in-line with the managing the threats that are out there. In cases of ‘Watering Hole' attacks user awareness is absolutely crucial. If you can ‘prevent the click' you can minimise the chance of infection,” he said.

Smelkovs said that information or assets that are important should be risk-assessed against modern threats with a realistic point of view.

“Answers such as ‘we're fine' or ‘we're 100 per cent secure and only the most sophisticated, state-sponsored hackers can breach us' should be rejected out of hand,” he said. “Finally, investment to bring defences up to an acceptable level should be used where there is the greatest misalignment of valuable information to real-world attacker interest.”

Bunker said there continues to be the strong need for a staff education and awareness program which highlights the risks, helps employees spot potential attacks and most importantly ensure that they know who to contact should they think there is an attack or they have been targeted or their system has been infected with malware.

“The key thing here is not to shoot the messenger, after all even the likes of Kaspersky and RSA have been successfully attacked… and their jobs are security. For the vast majority of people inside an organisation their job is not security, but something far more important – keeping the business running, growing and ultimately creating the value that pays salaries,” said Bunker.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews