Hacking group that targeted Apple, others reportedly operating independently for profit
A hacking group that previously targeted Apple, Twitter and Facebook appears to be operating independently and for the explicit purpose of turning a profit on corporate secrets, according to a Symantec research paper released on Wednesday.
Nicknamed "Morpho," the group has found success in making a small number of surgical strikes, presumably with the goal of selling the data to unscrupulous third parties or exploiting financial markets. It is not currently believed that Morpho has official support from any national government, Symantec said, as quoted by Reuters, although its services could be available on a for-hire basis.
Morpho has allegedly hit at least 49 organizations since 2012, mostly in the U.S., Canada, and Europe. Each year the number of targets has risen, up to 14 by 2015.
The group first gained real attention in early 2013 after attacks on Apple and other major technology companies were exposed. It reportedly used a number of techniques to crack through installed safeguards, for instance exploiting a critical, previously unknown Java vulnerability. To go after Apple, Morpho chose a "watering hole" tactic that infected a website visited by iPhone developers.
Some suspicion initially fell on China, which is known to regularly use hacker cells to steal corporate secrets and probe U.S. military networks.
While Morpho went dormant after garnering attention from the press, it later returned and has since attacked a number of businesses, such as airlines and pharmaceutical companies, Symantec said. The group is thought to have about ten members, some fluent in English, and possibly one or more with experience at a government intelligence agency.
The surgical nature of Morpho's approach is evidenced by it infecting relatively few computers at a given company, typically those used by research departments. The group is also said to conceal its tracks within a day or two of each incident, and use multiple proxies to spoof its location. Stolen data is guarded with heavy encryption.
Symantec noted that it made a breakthrough when a backup of a targeted machine was made during a 12-hour window while Morpho hacking tools were still active. Those tools were used as a fingerprint to identify other Morpho attacks. Findings have been passed on to law enforcement agencies in the U.S. and Europe.
Nicknamed "Morpho," the group has found success in making a small number of surgical strikes, presumably with the goal of selling the data to unscrupulous third parties or exploiting financial markets. It is not currently believed that Morpho has official support from any national government, Symantec said, as quoted by Reuters, although its services could be available on a for-hire basis.
Morpho has allegedly hit at least 49 organizations since 2012, mostly in the U.S., Canada, and Europe. Each year the number of targets has risen, up to 14 by 2015.
The group first gained real attention in early 2013 after attacks on Apple and other major technology companies were exposed. It reportedly used a number of techniques to crack through installed safeguards, for instance exploiting a critical, previously unknown Java vulnerability. To go after Apple, Morpho chose a "watering hole" tactic that infected a website visited by iPhone developers.
Some suspicion initially fell on China, which is known to regularly use hacker cells to steal corporate secrets and probe U.S. military networks.
While Morpho went dormant after garnering attention from the press, it later returned and has since attacked a number of businesses, such as airlines and pharmaceutical companies, Symantec said. The group is thought to have about ten members, some fluent in English, and possibly one or more with experience at a government intelligence agency.
The surgical nature of Morpho's approach is evidenced by it infecting relatively few computers at a given company, typically those used by research departments. The group is also said to conceal its tracks within a day or two of each incident, and use multiple proxies to spoof its location. Stolen data is guarded with heavy encryption.
Symantec noted that it made a breakthrough when a backup of a targeted machine was made during a 12-hour window while Morpho hacking tools were still active. Those tools were used as a fingerprint to identify other Morpho attacks. Findings have been passed on to law enforcement agencies in the U.S. and Europe.
Comments
R&D computers shouldn't be accessible from the Internet, or even on other parts of the network. Common sense security measures.
Most company computers connect to the Internet via the companies LAN,
which should be an effective hacking blocker.
To not do so significantly limits productivity.
What exactly is a 'watering hole' tactic? How was Apple affected? Or was it its developers? In either event, what was hacked, stolen, or lost? How do we know these guys are not merely seeking publicity, and the tech media in turn, in its usual uninformed breathless style, isn't handing this publicity to them on a platter?
To learn that Symantec uncovered this is somewhat of a surprise tho'
I'm taking this news with a healthy dose of salt.
R&D computers shouldn't be accessible from the Internet, or even on other parts of the network. Common sense security measures.
That depends on what the company does. R&D departments may work with universities, for example, and thus need to be able to exchange data, etc, so they'd likely have a method through their firewall to do that.
TheWhiteFalcon is correct.
To put it bluntly, internal NeXT and Apple Engineering Servers were never accessible directly, w/o your network mounted account having custom access to only specifically signed off folders mounted on secure servers.
Universities didn't get access to squat but a server that was way down the line from current source code. In fact, we only allowed PR releases [pre-releases] for specific builds and those never were custom builds like what we did for Merrill Lynch, Swiss Bank, etc.
They are referring to the infected forums at iPhone developer iphonedevsdk.com which was allegedly visited by several Apple engineers through whom, access to Apple itself was achieved. Apple denied it with a "There is no evidence of an intrusion" statement which is consistent with the hackers being able to cover their tracks very quickly. Allegedly.
This is the sort of thing that never gets acknowledged - either way. It could be true, complete fiction or somewhere inbetween.
They are referring to the infected forums at iPhone developer iphonedevsdk.com which was allegedly visited by several Apple engineers through whom, access to Apple itself was achieved. Apple denied it with a "There is no evidence of an intrusion" statement which is consistent with the hackers being able to cover their tracks very quickly. Allegedly.
This is the sort of thing that never gets acknowledged - either way. It could be true, complete fiction or somewhere inbetween.
There is no covering tracks in a well conceived system (at least the ones I've done :-). Intrusion may go undetected (because something, or probably someone... stupid, happened), but it will leave traces.
To put it in perspective, they hacking into Apple in hopes to gain information on what Apple is doing and sell it to Samsung. If in fact they are hacking for profits as the article implies. Next they are not going to explain the tactic especially if they threat still exist and Apple or any other company would not disclose what they taken or breached, They only time they would make a public disclosure is if information which belows to others was breached like your personal information and banking information. Beyond this companies keep their mouths shut.
So, the bottom line is that this could be -- I am not saying it necessarily is -- utter bs, for all we know!
Most company computers connect to the Internet via the companies LAN,
which should be an effective hacking blocker.
To not do so significantly limits productivity.
Your laptop/tablet or what ever you use to work should hold as little company assets as posible if any! It is best to work through a remote desktop environment when you are dealing with company IP. This way you don´t need to protect every endpoint, you just focus controlling access to your critical assets. Having employees put a business (or its customers) at risk by carrying stuff without proper protection is just stupid. Corporate networks are very porous and you just can´t protect every connection or crack. If you reduce the number of points where you need to enforce protection you will have a better work environment.
It's hardly surprising to learn that there's groups/gangs out there hacking for profit. I'd be surprised if there weren't.
To learn that Symantec uncovered this is somewhat of a surprise tho'
I'm taking this news with a healthy dose of salt.
Why it would be a surprise? it is what they do!
https://www.symantec.com/security_response/publications/monthlythreatreport.jsp
I don't understand this story at all.
What exactly is a 'watering hole' tactic?
The 'watering hole' tactic is to place code in a legitimate website that people in your targeted organization may visit. When they do, this code infects their computer.
R&D computers shouldn't be accessible from the Internet, or even on other parts of the network. Common sense security measures.
From a security standpoint, having all computers air gapped (physically disconnected from the Internet) is best. But, when you have remote development at several sites, are interacting with other vendors, or your employees need to be able to access outside information, this may not be easy.
The issues here isn't that the R&D computers were accessible _from_ the Internet (i.e. they probably didn't have a public IP address and probably couldn't be connected to by a connection that initiated outside the firewall) but that they had access _to_ the Internet. The developers accessed an external legitimate website which infected their computer and then the infected computer sent data out.
Ideally, your corporate network should never connect to the outside world, but in practice this is difficult to do without limiting productivity, so it is a trade off.