Cyber gang stealing sensitive info from big business.

A cyber espionage gang has been discovered attempting to infiltrate major corporations across the globe over the last three years in an effort to steal highly sensitive data for financial gain.

Infosec firm Symantec today published its research [pdf] into a gang of threat actors it has dubbed Morpho, which recently attacked the likes of Apple, Microsoft, Twitter and Facebook in an effort to access confidential information and intellectual property.

The gang should not be confused with security and identity solutions provider Morpho.

The hacker group appears to be specifically targeting big business in the technolgy, internet, commodities and pharmaceutical sectors. Symantec said it believed the group was financially motivated rather than state-sponsored.

Unlike an average cybercrime attacker, Morpho targets high-level corporate information rather than customer databases or credit card details, Symantec said.

A successful attack would allow it to sell the valuable data to the highest bidder.

"[Morpho] keeps a low profile and maintains good operational security," Symantec said in its research [pdf].

"After successfully compromising a target organisation, it will clean up after itself before moving on to its next target."

Twitter, Facebook, Apple and Microsoft have all publicly acknowledged previous attacks.

According to Symantec, in those attacks the group compromised a website used by mobile developers and used a Java zero-day to infect the user's device with malware.

The Morpho gang is using custom malware tools developed internally which are able to attack both Windows and Apple computers. Symantec said the group's arsenal also appeared to contain at least one zero-day vulnerability, relating to Internet Explorer 10.

It favours two types of malware: a Mac OS X back door known as OSX.Pintsized, and a Windows back door, Backdoor.Jiripbot.

But the group also uses custom developed hacking tools: a modified version of OpenSSH containing additional code to pass a command and control server address and port to a compromised computer; and another that can retrieve default messages issued by Telnet, HTTP, and generic TCP servers.

It also uses one dubbed Hacktool.Multipurpose that enables to to move across a compromised network, another that creates a proxy connection that allows attackers to route traffic through an intermediary node, and one that goes through event logs and deletes and pulls out entries.

Symantec said Morpho had been operating since at least March 2012 and its attacks had increased in number since: the firm said 49 organisations across 20 countries had been targeted.

USA is the top target for the group, followed by Europe and Canada.

Aside from Twitter, Facebook, Apple and Microsoft, Symantec said five other large unnamed technology firms had been compromised in the US, as well as three major European pharmaceutical firms. Three law firms and two resources companies have also been attacked.

"Over time, a picture has emerged of a cybercrime gang systematically targeting large corporations in order to steal confidential data," Symantec wrote.

Morpho has successfully compromised Microsoft Exchange or Lotus Domino email servers in order to intercept company emails in many attacks, Symantec said, as well as enterprise content management systems.

"In some instances, the group has zoned in on specialist systems. For example, one attack saw it gain access to a physical security information management (PSIM) system, which is used for managing and monitoring physical security systems, including swipe card access," Symantec wrote.

"This could have provided the attackers with access to CCTV feeds, allowing them to track the movement of people around buildings."

Morpho's malware is written in fluent English and the group displays knowledge of English-speaking pop culture, Symantec said.

Similarly, its command and control server activity is the highest during the US working day.