A hacking group that previously targeted Apple, Twitter and Facebook appears to be operating independently and for the explicit purpose of turning a profit on corporate secrets, according to a Symantec research paper released on Wednesday.
Nicknamed "Morpho," the group has found success in making a small number of surgical strikes, presumably with the goal of selling the data to unscrupulous third parties or exploiting financial markets. It is not currently believed that Morpho has official support from any national government, Symantec said, as quoted by Reuters, although its services could be available on a for-hire basis.
Morpho has allegedly hit at least 49 organizations since 2012, mostly in the U.S., Canada, and Europe. Each year the number of targets has risen, up to 14 by 2015.
The group first gained real attention in early 2013 after attacks on Apple and other major technology companies were exposed. It reportedly used a number of techniques to crack through installed safeguards, for instance exploiting a critical, previously unknown Java vulnerability. To go after Apple, Morpho chose a "watering hole" tactic that infected a website visited by iPhone developers.
Some suspicion initially fell on China, which is known to regularly use hacker cells to steal corporate secrets and probe U.S. military networks.
While Morpho went dormant after garnering attention from the press, it later returned and has since attacked a number of businesses, such as airlines and pharmaceutical companies, Symantec said. The group is thought to have about ten members, some fluent in English, and possibly one or more with experience at a government intelligence agency.
The surgical nature of Morpho's approach is evidenced by it infecting relatively few computers at a given company, typically those used by research departments. The group is also said to conceal its tracks within a day or two of each incident, and use multiple proxies to spoof its location. Stolen data is guarded with heavy encryption.
Symantec noted that it made a breakthrough when a backup of a targeted machine was made during a 12-hour window while Morpho hacking tools were still active. Those tools were used as a fingerprint to identify other Morpho attacks. Findings have been passed on to law enforcement agencies in the U.S. and Europe.