Industrial espionage group hacked Apple, Facebook, Microsoft

Rob Wright

A sophisticated hacker group has been attacking billion-dollar companies such as Apple, Facebook, and Microsoft in recent years for the purposes of committing industrial espionage, according to security researchers.

Symantec and Kaspersky Lab both released reports about the group Wednesday, claiming that Apple, Facebook, Twitter, Microsoft and other multinational companies have been victimized by it. Both vendors claim the group, which Symantec refers to as "Morpho" and Kaspersky calls "Wild Neutron," is not a state-sponsored threat actor and is instead a powerful, well-

resourced entity focused on financial gains -- one that uses a variety of attack techniques to obtain insider information from top U.S. corporations.

group operates at a much higher level than the average cybercrime gang," Symantec's report stated. "It is not interested in stealing credit card details or customer databases and is instead focused on high level corporate information. Morpho may be selling this information to the highest bidder or may be operating as hackers for hire. Stolen information could also be used for insider trading purposes."

According to Kaspersky's report, the hacker group has been active since 2011 but first gained notoriety in 2013 with successful attacks on Apple, Facebook, Twitter and Microsoft that exploited a Java zero-day flaw and used hacked Web forums as watering holes.

After the companies disclosed these attacks, the hacker group went dark, according to the reports. But Kaspersky said the attacks resumed in late 2013 and into 2014 and affected a variety of different companies in the legal, health care, real estate and technology industry verticals as well as Bitcoin-related companies, investment firms and companies involved in merger and acquisition deals.

Symantec said its investigation has found the group's attacks have affected 49 different organizations in more than 20 different countries. Kaspersky said the latest round of attacks this year involved a stolen digital certificate originally issued to Taiwanese PC maker Acer and an unknown Flash Player exploit.

Kaspersky's report said the hacker group is unique in terms of its approach and its engagement in industrial espionage. "Compared to other APT groups, Wild Neutron is one of the most unusual ones we've analysed and tracked," Kaspersky's report stated. "Active since 2011, the group has been using at least one zero-day exploit, custom malware and tools and managed to keep a relatively solid opsec, which so far eluded most attribution efforts."

Neither Symantec nor Kaspersky have determined the origin of the attacks. Symantec noted that the hacker group's command and control server activity peaks during U.S. working day hours, which suggests that some or all of the members are operating in region. Both vendors warned that the group is still active today.