Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Hacking group that targeted Apple, others reportedly operating independently for profit

A hacking group that previously targeted Apple, Twitter and Facebook appears to be operating independently and for the explicit purpose of turning a profit on corporate secrets, according to a Symantec research paper released on Wednesday.

Nicknamed "Morpho," the group has found success in making a small number of surgical strikes, presumably with the goal of selling the data to unscrupulous third parties or exploiting financial markets. It is not currently believed that Morpho has official support from any national government, Symantec said, as quoted by Reuters, although its services could be available on a for-hire basis.

Morpho has allegedly hit at least 49 organizations since 2012, mostly in the U.S., Canada, and Europe. Each year the number of targets has risen, up to 14 by 2015.

The group first gained real attention in early 2013 after attacks on Apple and other major technology companies were exposed. It reportedly used a number of techniques to crack through installed safeguards, for instance exploiting a critical, previously unknown Java vulnerability. To go after Apple, Morpho chose a "watering hole" tactic that infected a website visited by iPhone developers.

Some suspicion initially fell on China, which is known to regularly use hacker cells to steal corporate secrets and probe U.S. military networks.

While Morpho went dormant after garnering attention from the press, it later returned and has since attacked a number of businesses, such as airlines and pharmaceutical companies, Symantec said. The group is thought to have about ten members, some fluent in English, and possibly one or more with experience at a government intelligence agency.

The surgical nature of Morpho's approach is evidenced by it infecting relatively few computers at a given company, typically those used by research departments. The group is also said to conceal its tracks within a day or two of each incident, and use multiple proxies to spoof its location. Stolen data is guarded with heavy encryption.

Symantec noted that it made a breakthrough when a backup of a targeted machine was made during a 12-hour window while Morpho hacking tools were still active. Those tools were used as a fingerprint to identify other Morpho attacks. Findings have been passed on to law enforcement agencies in the U.S. and Europe.



14 Comments

thewhitefalcon 10 Years · 4444 comments

R&D computers shouldn't be accessible from the Internet, or even on other parts of the network. Common sense security measures.

josha 14 Years · 899 comments

Quote:
Originally Posted by TheWhiteFalcon 

R&D computers shouldn't be accessible from the Internet, or even on other parts of the network. Common sense security measures.


Most company computers connect to the Internet via the companies LAN,

  which should be an effective hacking blocker.

To not do so significantly limits productivity.

anantksundaram 18 Years · 20391 comments

I don't understand this story at all. What exactly is a 'watering hole' tactic? How was Apple affected? Or was it its developers? In either event, what was hacked, stolen, or lost? How do we know these guys are not merely seeking publicity, and the tech media in turn, in its usual uninformed breathless style, isn't handing this publicity to them on a platter?

robm 18 Years · 1065 comments

It's hardly surprising to learn that there's groups/gangs out there hacking for profit. I'd be surprised if there weren't. To learn that Symantec uncovered this is somewhat of a surprise tho' :) I'm taking this news with a healthy dose of salt.

theunfetteredmind 12 Years · 505 comments

Quote:
Originally Posted by TheWhiteFalcon 

R&D computers shouldn't be accessible from the Internet, or even on other parts of the network. Common sense security measures.


That depends on what the company does. R&D departments may work with universities, for example, and thus need to be able to exchange data, etc, so they'd likely have a method through their firewall to do that.