|
 According to new research from the largest U.S. security software
vendor, Symantec Corp, the group appears to be among the few that
display significant talent without backing from a national
government. The group stays below the radar with a small number of
carefully targeted attacks.
“They are very focused, wanting everything valuable from the top
companies of the world,” said Vikram Thakur, a Symantec senior
manager. “The only way they could use it, in our opinion, is through
some financial market or by selling it.”
Thakur said Symantec and other security companies such as FireEye
Inc were tracking less than a half dozen such groups, including one
called FIN4.
FIN4 has less technical skill but uses knowledge of the investment
banking world and strong social engineering, or trickery, to harvest
email credentials and discover material financial information. The
U.S. Securities and Exchange Commission is investigating some FIN4
breaches at large, publicly traded companies.[ID:nL1N0Z31G0]
Symantec said its group, which it calls Morpho, dropped out of sight
for months after press accounts of the Silicon Valley breaches in
early 2103 shone a light on their techniques, which included use of
a previously unknown "zero-day" flaw in Oracle’s Java platform.
Morpho also used a “watering hole” approach, infecting websites that
were likely to attract employees of its targets as visitors. In the
best-known case, a website frequented by iPhone developers was
infected.
Some had suspected China or another country in the Silicon Valley
attacks. Some of the companies breached, including Apple, said they
found no evidence of data being stolen.
In a paper being released Wednesday, Symantec said Morpho came back
from its absence to breach a small number of additional technology
companies. It has also gone after the pharmaceutical industry and
airlines, typically hitting multiple competitors in a sector and
infecting a very few machines, usually in the research departments.
[to top of second column] |
Morpho has breached about 49 organizations that Symantec knows about
since 2012, with the number penetrated each year rising to 14 by
2015. The United States, Europe and Canada have the most victims.
Thakur said his team thinks the group might have about 10 members
around the world, with some fluent in English and one or more
perhaps having worked at an intelligence agency. They could be
offering themselves for hire or could be breaking into companies on
speculation and trying to sell the information or trade shares based
on it.
Among the team’s greatest strengths is its operational security, as
it uses multiple proxies to disguise its location, employs heavy
encryption where it stores digital loot, and strikes within a day or
two of entry before wiping its tracks.
A break in Symantec’s research came when a regular backup was made
of a targeted machine during a 12-hour window when some of Morpho’s
custom-made navigation tools were still in use. Symantec then looked
for where the same tools had been employed.
Thakur said law enforcement agencies in the United States and Europe
had been apprised of Symantec's findings. An FBI spokesman did not
respond to a request for comment, nor did Twitter and Facebook. An
Apple spokesman declined to discuss the research.
(Reporting by Joseph Menn; Editing by Lisa Shumaker)
[© 2015 Thomson Reuters. All rights
reserved.] Copyright 2015 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
 |
