Attribution in information security attack is a difficult thing. Being able to put a particular person behind a keyboard is often the problem. However, in recent years, security companies have been doing a better job of identifying groups of individuals with similar attack methods and preferences. For example CrowdStrike has identified over seven thousand discrete groups of state-sponsored groups, criminals, and hacktivists solely by their methods of operation, their patterns of attack.
A report this week from Symantec looks at one particular group they call Morpho, which they believe is not state-sponsored but nonetheless responsible for intellectual property theft for monetary gain.
Symantec notes that one key difference between attacks coming from competitors and state-sponsored attackers is that competitors are likely in a better position to request the theft of specific information of economic value. They make faster use of this information than a state-sponsored group. Morpho hs a preference for pharmaceutical companies, technology firms, law practices, and oil and precious metal mining organizations.
Symantec believes this small group of individuals is responsible for the Java-based zero day attacks on Twitter, Facebook, Apple and Microsoft back in 2013, and has since laid low. Recently the group has started to use a zero day in Internet Explorer 10 on their targets.
What’s interesting is that while the group appears to be scattered all over the world there appears to be subset of native English speakers, or people who are familiar with Western culture, based on the help documentation supplied with their hacking tools. And they may operate in the Eastern Standard Time (EST) time zone of the US, based on the time zone on their Command & Control server. This may be to better attack US-based targets and also to better sense and manipulate the financial markets.
“Morpho is a timely reminder to organizations that as well as defending against state-sponsored attacks, organizations must be aware of the potential threat of corporate espionage, where attacks are performed at the behest of competitors or by individuals looking to monetize stolen information such as through stock trading using insider knowledge,” the authors of the report wrote.