According to research from cybersecurity firm Symantec Corp, there are several highly sophisticated independent hacking groups that are not associated with any government that represent a notable threat. Symantec is currently tracking around a dozen such groups, but specifically highlighted one group called FIN4 and another named Morpho in a recent research report.
Morpho hacking group attack Apple and Facebook
Symantec said an independent hacking group it has named Morpho dropped out of sight for months after press accounts of the break ins at Apple, Facebook and Twitter in early 2013 exposed their modus operandi, including attacking through a previously unknown “zero-day” flaw in Oracle’s Java software.
Morpho is one of the the few private hacking organizations that has programming talent and cultural sophistication without the support of a national government. They manage to keep themselves below the radar for the most part by limiting themselves to a few, targeted attacks.
“They are very focused, wanting everything valuable from the top companies of the world,” said Vikram Thakur, a senior manager focused on hackers at Symantec. “The only way they could use it, in our opinion, is through some financial market or by selling it.”
The hackers used a “watering hole” approach, infecting websites that employees of its targets were likely to visit. In one known case, a website frequented by iPhone developers was infected with malware.
Many cybersecurity experts had pointed to China or another national actor in the 2013 Silicon Valley attacks, especially since some of the firms that were hit, including Apple, said they did not see that any data was actually stolen.
Symantec says Morpho has broken into close to 50 organizations (mainly technology, the pharmaceutical industry and airlines) since 2012, with the number penetrated each year rising to 14 so far 2015. Not surprisingly, the U.S., Europe and Canada have seen the most attacks from Morpho.
According to Symantec, the group probably has around 10 members at various locations around the globe, with at least some members fluent in English and there is a strong likelihood that at least one has experience in intelligence. It’s possible that Morpho is acting as a “hired gun” for a client or the group could be breaking into firms and trying to sell the information or make investments based on it.
Of note, Morpho employs great operational security, using several layers of proxies to disguise member locations, and always employs strong encryption of the stolen data. The group typically makes its move to steal data within a day or two of breaking in, then quickly wiping any tracks of the intrusion.
Symantec caught a break in their research on Morpho when a regular backup was made of a machine the group had infected during a 12-hour window when some of the custom-made navigation tools were still running. Symantec eventually learned a great deal about the group from seeing where else this specialized malware had been used.
FIN4 hacking group
FIN4 has less technical skill but uses knowledge of the investment banking world and strong social engineering, or trickery, to harvest email credentials and discover material financial information. The U.S. Securities and Exchange Commission is investigating some FIN4 breaches at large, publicly traded companies.