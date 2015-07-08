By Joseph Menn
SAN FRANCISCO, July 8 A hacking group best known
for breaking into top-tier technology companies Apple Inc
, Facebook Inc and Twitter Inc more than
two years ago is now believed to be one of a handful of highly
skilled independent gangs pursuing corporate secrets for profit.
According to new research from the largest U.S. security
software vendor, Symantec Corp, the group appears to be
among the few that display significant talent without backing
from a national government. The group stays below the radar with
a small number of carefully targeted attacks.
"They are very focused, wanting everything valuable from the
top companies of the world," said Vikram Thakur, a Symantec
senior manager. "The only way they could use it, in our opinion,
is through some financial market or by selling it."
Thakur said Symantec and other security companies such as
FireEye Inc were tracking less than a half dozen such
groups, including one called FIN4.
FIN4 has less technical skill but uses knowledge of the
investment banking world and strong social engineering, or
trickery, to harvest email credentials and discover material
financial information. The U.S. Securities and Exchange
Commission is investigating some FIN4 breaches at large,
publicly traded companies.
Symantec said its group, which it calls Morpho, dropped out
of sight for months after press accounts of the Silicon Valley
breaches in early 2103 shone a light on their techniques, which
included use of a previously unknown "zero-day" flaw in Oracle's
Java platform.
Morpho also used a "watering hole" approach, infecting
websites that were likely to attract employees of its targets as
visitors. In the best-known case, a website frequented by iPhone
developers was infected.
Some had suspected China or another country in the Silicon
Valley attacks. Some of the companies breached, including Apple,
said they found no evidence of data being stolen.
In a paper being released Wednesday, Symantec said Morpho
came back from its absence to breach a small number of
additional technology companies. It has also gone after the
pharmaceutical industry and airlines, typically hitting multiple
competitors in a sector and infecting a very few machines,
usually in the research departments.
Morpho has breached about 49 organizations that Symantec
knows about since 2012, with the number penetrated each year
rising to 14 by 2015. The United States, Europe and Canada have
the most victims.
Thakur said his team thinks the group might have about 10
members around the world, with some fluent in English and one or
more perhaps having worked at an intelligence agency. They could
be offering themselves for hire or could be breaking into
companies on speculation and trying to sell the information or
trade shares based on it.
Among the team's greatest strengths is its operational
security, as it uses multiple proxies to disguise its location,
employs heavy encryption where it stores digital loot, and
strikes within a day or two of entry before wiping its tracks.
A break in Symantec's research came when a regular backup
was made of a targeted machine during a 12-hour window when some
of Morpho's custom-made navigation tools were still in use.
Symantec then looked for where the same tools had been employed.
Thakur said law enforcement agencies in the United States
and Europe had been apprised of Symantec's findings. An FBI
spokesman did not respond to a request for comment, nor did
Twitter and Facebook. An Apple spokesman declined to discuss the
research.
(Reporting by Joseph Menn; Editing by Lisa Shumaker)