According to new research from the largest U.S. security software vendor, Symantec Corp, the group appears to be among the few that display significant talent without backing from a national government. The group stays below the radar with a small number of carefully targeted attacks.
"They are very focused, wanting everything valuable from the top companies of the world," said Vikram Thakur, a Symantec senior manager. "The only way they could use it, in our opinion, is through some financial market or by selling it."
Thakur said Symantec and other security companies such as FireEye Inc were tracking less than a half dozen such groups, including one called FIN4.
FIN4 has less technical skill but uses knowledge of the investment banking world and strong social engineering, or trickery, to harvest email credentials and discover material financial information. The U.S. Securities and Exchange Commission is investigating some FIN4 breaches at large, publicly traded companies.
Symantec said its group, which it calls Morpho, dropped out of sight for months after press accounts of the Silicon Valley breaches in early 2103 shone a light on their techniques, which included use of a previously unknown "zero-day" flaw in Oracle's Java platform.
Morpho also used a "watering hole" approach, infecting websites that were likely to attract employees of its targets as visitors. In the best-known case, a website frequented by iPhone developers was infected.
Some had suspected China or another country in the Silicon Valley attacks. Some of the companies breached, including Apple, said they found no evidence of data being stolen.
In a paper being released Wednesday, Symantec said Morpho came back from its absence to breach a small number of additional technology companies. It has also gone after the pharmaceutical industry and airlines, typically hitting multiple competitors in a sector and infecting a very few machines, usually in the research departments.
Morpho has breached about 49 organizations that Symantec knows about since 2012, with the number penetrated each year rising to 14 by 2015. The United States, Europe and Canada have the most victims.
Thakur said his team thinks the group might have about 10 members around the world, with some fluent in English and one or more perhaps having worked at an intelligence agency. They could be offering themselves for hire or could be breaking into companies on speculation and trying to sell the information or trade shares based on it.
Among the team's greatest strengths is its operational security, as it uses multiple proxies to disguise its location, employs heavy encryption where it stores digital loot, and strikes within a day or two of entry before wiping its tracks.
A break in Symantec's research came when a regular backup was made of a targeted machine during a 12-hour window when some of Morpho's custom-made navigation tools were still in use. Symantec then looked for where the same tools had been employed.
Thakur said law enforcement agencies in the United States and Europe had been apprised of Symantec's findings. An FBI spokesman did not respond to a request for comment, nor did Twitter and Facebook. An Apple spokesman declined to discuss the research.
© Thomson Reuters 2015
For details of the latest launches and news from Samsung, Xiaomi, Realme, OnePlus, Oppo and other companies at the Mobile World Congress in Barcelona, visit our MWC 2025 hub.