Symantec is hot on the digital trail of Butterfly, a group of hackers who have successfully exfiltrated corporate secrets from 49 organizations in more than 20 countries.
Symantec is taking its professed mission of "helping consumers and organizations secure and manage their information-driven world" to the next level by adding counterespionage to its list of services. As proof, I submit the recently released Symantec white paper Butterfly: Corporate spies out for financial gain (PDF). Here's an excerpt:
"Butterfly is a group of highly capable, professional attackers who perform corporate espionage with a laser-like focus on operational security. The team is a major threat to organizations that have large volumes of proprietary intellectual property, all of which is at risk of being stolen by this group for monetary gain."
Note: Symantec renamed the group Butterfly to avoid any link whatsoever to other legitimate corporate entities named Morpho.
The chart below from the Symantec paper depicts the number of organizations per industry compromised by Butterfly during the past four years.
The first major attacks
During 2013, Apple, Facebook, Microsoft, and Twitter were compromised. Researchers at Symantec took special note after discovering all four attacks used the same modus operandi — attack the company website used by mobile-app developers via OSX.Pintsized (a Mac OS X back door) and/or Backdoor.Jiripbot (a Windows back door).
Additional reasons why the Butterfly group has captured Symantec's interest are:
- Even though Butterfly has been around since 2012, not much information has been made public about the group.
- Attacks on desired targets are quick and well executed.
- Butterfly attackers have on occasion cleaned up or abandoned a successful break-in, almost as if that particular attack was a mistake.
- An abrupt lull in activity occurred near the end of 2013, and then just as abruptly, attacks started again in late 2014.
Speaking to the group's success, a Symantec employee wrote in a July 8, 2015 blog that, "Symantec has to date discovered 49 different organizations in more than 20 countries that have been attacked by Butterfly. Over time, a picture has emerged of a cybercrime gang systematically targeting large corporations to steal confidential data."
The Butterfly attackers have an impressive suite of custom-built malware tools, though the old standbys — OSX.Pintsized and Backdoor.Jiripbot — are often used to gain access. To garner that kind of success, the group's coders tweak the two pieces of malcode as needed for each attack.
Once access is gained, the attackers find and compromise email servers. "Once the attackers have this access, they presumably then eavesdrop on email conversations and may have been in a position to potentially insert fraudulent emails as well," surmised the Symantec researchers.
Content-management servers are another popular Butterfly target. "These systems are used for indexing and storing a company's various documents and other digital assets," mention the researchers. "Such servers would not contain source code, but rather legal documents, internal policies, training documents, product descriptions, and financial records."
When any data of interest is found, the installed malware will send it to the Butterfly group's servers for review and then put it up for sale. "This is a group that has the discipline and organizational skills of a nation state, but they've pointed it towards out and out crime," Kevin Haley, director of security response at Symantec told Yahoo News.
Who are the hackers?
In 2013, The New York Times and other outlets blamed Chinese hackers; Symantec researchers are not that sure, offering three possible theories. The Butterfly hacking group might be:
- a government agency bent on economic espionage;
- an organization of hackers-for-hire; or
- an organization with a single customer.
The report's authors write, "A government agency is the least likely of these theories, given the number of victims that span across various geopolitical boundaries and the lack of targeting of any victims that are related to traditional intelligence-gathering."
The authors believe, "It is far more likely that the Butterfly attackers are an organization of individuals working closely together to either steal intellectual property for another client or for their financial gain, for example through the stock market."
Impressive counterintelligence capabilities
The Symantec researchers are impressed with the Butterfly group's counterintelligence capabilities. "The Butterfly attackers use a number of anti-forensics techniques to prevent detection and presumably hinder an investigation into their activity when discovered," state the researchers. "The group's malware and other files are securely deleted using either the GNU Shred tool, which overwrites a file's contents as well as deleting the index from the file allocation table, or the shred functionality written into a custom tool."
Additional steps taken by Butterfly's attackers include:
- modifying event logs to remove any evidence of the attackers' activity;
- using bogus names and email addresses when registering domains for Command and Control (C&C) servers (also, no reusing names and email addresses); and
- using Bitcoins to pay hosting providers to host their C&C servers.
The Symantec report's appendix includes a repository of Butterfly information, keys, malware signatures, hashes, and C&C server details for those who want to configure IDS/IPS systems.