A group of financially motivated hackers has been infiltrating major corporations and stealing valuable intellectual property, a sign that the motives and techniques of different types of online criminals are starting to blur, researchers at a computer security company will announce in a report on Wednesday.
Typically, criminal hackers steal passwords and personal data from companies with poor security so that they can break into more valuable sites, or simply sell those passwords and Social Security numbers on the black market. But the report, by Symantec, the computer security company, suggests that a group it calls Morpho is after intellectual property, possibly to sell it to competitors or nation states.
Symantec said the group had attacked multibillion-dollar companies in the Internet, software, pharmaceutical, legal and commodities fields. Twitter, Facebook, Apple and Microsoft are among the companies that have publicly acknowledged attacks.
Symantec’s researchers said they did not believe the group was backed by any nation state because it was “agnostic about the nationality of its targets.”
But the researchers said there were clues that the hackers might be English speakers — their malicious code is written in fluent English — and they named their encryption keys after memes in American pop culture and gaming. Researchers also said the attackers worked during United States working hours, though they conceded that might just be because that is when their targets are most active.
The group has developed custom hacking tools and is able to break into both Windows and Apple computers, researchers say, which suggests that it has plenty of resources. In at least one case, researchers discovered that the hackers had used one so-called zero day vulnerability, a security flaw that has not been discovered by companies or security defenders. Such flaws are considered difficult to find and can be purchased on the black market, where, depending on the number of systems they expose and the probability that the flaw will be found, can fetch as much as six-figure sums from governments, or criminal groups eager to exploit them.
Researchers believe the Morpho group is the same one that compromised Facebook, Twitter, Apple and Microsoft in 2013. Symantec’s researchers said that was their first inkling that the group existed. When they dug further, they found evidence that the same group had been active since at least March 2013, and is still active today.
To date, Symantec said it had discovered 49 different organizations in more than 20 countries that had been attacked by Morpho. Some of its earliest targets were in the legal field, but the group’s list of victims has evolved, and it has targeted companies in technology, pharmaceuticals and, most recently, commodities.
Researchers found evidence that the group’s hackers did careful reconnaissance before grabbing valuable trade secrets. In some cases, the researchers had indications that they had succeeded in intercepting company emails, and business databases containing legal.