Skip to content ↓ | Skip to navigation ↓

Back in 2013, technology giants Apple, Microsoft, Facebook and Twitter all suffered a serious security breach.

Their corporate networks had all been attacked by the same hacking gang, after Mac-using staff visited a website for iOS developers hosting a zero-day Java exploit.

The previously unseen Pintsized Trojan horse was able to waltz around the Gatekeeper protection in OS X, and install itself on computers posing as a piece of printing software called cupsd. With Pintsized successfully installed, remote hackers were able to gain unauthorised access to systems and data.

For instance, at Twitter some 250,000 users had limited information exposed as a result of the hack, and it was revealed that a number of developers’ computers at Apple’s Cupertino HQ had also been compromised.

Reuters reports on Apple hack

Now newly-released research from security firms Symantec and Kaspersky reveals that a much wider range of corporations have been hit by the hackers since at least 2011 – with law firms and companies involved in corporate mergers and acquisitions targeted, as well as businesses in the healthcare, investment, pharmaceutical and technology industries.

What may surprise onlookers, is that security researchers do not believe the attacks are state-sponsored, but are instead financially-motivated economic espionage.

Variously known as “Wild Neutron” or “Morpho”, the gang is thought to be a highly organised professional organisation, uninterested in stealing credit card data or customer databases, but instead focused on high-value corporate information which could be exploited for insider dealing.

The investigation into the hacking gang follows the news last month that the United State SEC was hunting a group of insider-trading hackers stealing sensitive information, such as details of company mergers, from publicly traded companies for financial gain.

Clearly, some hacking gangs are becoming more ambitious in their attacks, using their skills to maximise their profits.

Symantec says that it has uncovered 49 different organisations in more than 20 countries that have been attacked by the Morpho/Wild Neutron gang. The vast majority of victims are located in Europe, the United States and Canada.

In some cases it appears that smaller offices can be initially targeted to gain a foothold in later attacks against headquarters:

“[We] found evidence that Morpho has attacked three major European pharmaceutical firms. In the first attack, the attackers gained a foothold by first attacking a small European office belonging to one firm and using this infection to then move on to its US office and European headquarters. This template appeared to be followed in the two subsequent attacks on big pharma firms, with Morpho compromising computers in a number of regional offices before being discovered.”

Companies involved in commodities such as gold and oil have also been fallen victim to the attacks, as have law firms specialising in finance and natural resources.

Most recently, as Ars Technica reports, the hackers have managed to bypass the protection built into some operating systems by using a valid digital certificate issued to Taiwanese electronics firm Acer.

Acer digital certificate

Meanwhile, the Pintsized backdoor Trojan has been ported to the Windows platform since the attacks against Facebook, Twitter, Microsoft and Apple, proving its worth time and time again by helping the hackers penetrate the networks of corporate victims.

The best defence against such professional hackers is to lock down your systems with layered security. Keep your systems patched and your protection software updated. Configure your security software so it can reduce the threat of zero-day attacks. Encrypt sensitive information, and enforce the use of strong, hard-to-crack passwords and multi-factor authentication where available.

Ultimately, your best defence might be to adopt the mindset of the hackers. If you were to hack your company – how would you go about it? Find the weak points inside your organisation’s defences before the real hackers do.

Tripwire University
  • mordac

    Those protective measures are all very sound advice, but I'd argue they're only half the story. Assume that sooner or later they WILL fail, and internal systems will be compromised. How will you spot the attackers? Network security monitoring (if you can possibly spare the resources to do it) is essential. Even if it's just reviewing your firewall logs for odd outgoing traffic, that's a start… (disclosure, I have no financial interest in peddlers of products/services, I'm just a grunt in the trenches :) )

    • Coyote

      There is an article from the 90s (I want to say 1994 but there were a lot of documents in those days too, and I'm thankful I remember some of that stuff in the first place…) entitled 'Improving the Security of Your Site by Breaking into It.' and it is still sound. His other points also are relevant. How will you spot the attackers you ask? Awareness. Being aware that indeed it is a constantly evolving problem, and THAT is why thinking like an attacker – one which also adapts! – is absolutely critical. This includes logs and other auditing (as always). Summary is this: it is a many layered thing but that list can – and does – grow in size (and be modified in any way necessary).

      • While I would agree that everyone does some hacking of some obstacles at least sometimes in life, there is a fundamental disconnect with the "think like a hacker" recommendation against the systems we build/support.

        #1 Are we computer system hackers?
        #2 Do we think about our systems in the framework of how they (are supposed) to work?
        #3 Do we really have any time for this endeavor? (corollary: How much experience do you have at this? None?)
        #4 How often have you read a post mortem of an exploit of a vulnerability and thought, "How did they miss that?"

        There is a conflict of interest here almost none of us perceive. I claim, that in general, you can't competently hack you own systems. So:

        #0 What is your primary motivation

  • Juan DaRiguera

    "Clearly, some hacking gangs are becoming more ambitious in their attacks, using their skills to maximise their profits."

    Here’s a semantic musing, Graham, for whatever it’s worth: It's an unfortunate deficiency in the way we use language that “profit” has two opposite meanings.

    Profit is what I create when my income from providing valuable services to my clients exceeds the cost of providing those services. It's what you gain when folks buy your expertise and knowledge so you don't have to inhabit a corporate cubicle. It's what any honest person receives in exchange for value provided to another. Profit is the engine of progress for free people.

    So why do we apply the same word to the immoral gains of scumbags?

    It didn't used to be so. Back when pirates roamed the seas, their ill-gotten gains were called plunder. Perhaps if that term were applied universally to the loot taken by hacking thieves, the stigma of plunder would make such an occupation less appealing.

    I dunno…maybe it wouldn't make much difference to the kind of pirates who are the subject of this article, but at least it might help folks think more clearly on the subject of profit, without which there would be no freedom at all.

    • Coyote

      You're absolutely right – it is semantics. If you look at the etymology of the word (or even just all meanings of it) you'll find the answer. The word you suggest isn't any more valid or invalid (except in that it might show intent more clearly) than profit (which is less specific here). That is all it comes down to: how much intent you want to express. But thing is, it is generally accepted that profit is a good word for this (even if there are other words). There certainly are more words than profit and plunder for this. Anyway, profit is a perfectly valid word: it also means advantage; benefit. So they benefit from this and despite their method being unethical, illegal and questionable, they still benefit from it. That is, after all, why they continue this. That is why the word is used.

      But no, stigma won't stop it at all. If only it was that easy. As long as there is profit (as above) they will continue. That is why spammers still continue, too: all it takes is one person to respond and it is worth it to them (and more victims increases the chance in their favour). Besides, if they're willing to be so unethical and break the law, do you really think they care what words are used (as in do you think that will change whether they continue doing what they do)? As unfortunate as it is, we all know the answer to this.

    • "[…] but at least it might help folks think more clearly on the subject of profit, without which there would be no freedom at all." Not an unusual ideological position, but one without empirical evidence.

      More to the point though. Please leave the proving of negatives to other forums.

  • Coyote

    To those who don't know, cupsd = common unix printing system daemon (more commonly just 'CUPS'), a well known (to those you would expect to know, anyway) interface to printing under Unix based OSes (which includes Mac OS). Ironically Apple actually bought the rights to CUPS in 2007. More irony is that CUPS is the target of a write-up on how NOT to design software (and it is true; it is terribly designed), see… (The Luxury of Ignorance – An Open-Source Horror Story) if you're curious. (That is Eric S. Raymond's website, and he is well respected in the hacker – the original meaning of the word – culture)

    The above makes it interesting that this group would mask their malware as CUPS …

  • Horst G Ludwig

    Think like a hacker? A good one? A bad one? A true one with humanity purpose? A little perverted "I am the best" gamer? We even cant imagine what hackers are all about and that random story of criminals leave it with the paranoia of a paranoid society. If Morpho is attacking big pharma I guess they do have good reasons because legislators never acting against those huge speculative money machines otherwise they are acting on behalf of competition. True in all security attacks questionings is WHY rather than HOW but since there is a huge security industry running and promoting itself we cant expect solution but the neverending spiral of the same.