‘Butterfly’ group goes after corporate IP

Symantec has identified a group of cybercriminals, whom they’ve named “Butterfly,” as targeting corporate intellectual property for financial gains, with Twitter, Facebook, Apple and Microsoft among those hit.

“Attackers going after intellectual property is not that usual,” said Vikram Thakur, senior manager at Symantec.

“Butterfly” was originally named “Morpho,” but the latter name was taken.

Unfortunately, a name like “Butterfly” doesn’t do much to convey the level of threat the group poses. “Butterfly” by itself doesn’t sounds too ominous, but “Istanbul Butterfly” or “Seaweed Butterfly” instantly sound better.

However, those attackers tend to be state-sponsored and target information or military or other strategic importance.

“That kind of intellectual property is of high value to nations across the board,” he said.

But Butterfly goes after research documents produced by civilian firms across a wide variety of industries.

In 2013, the companies hit tended to be technology companies, then Butterfly began going after legal and pharmaceutical firms.

“In the last month, we started seeing commodity companies hit — oil, natural gas, and mining,” said Thakur.

What all these companies have in common is that they’re publicly listed, and most are in the Fortune 200.

Another common thread is that attacks often occur after the corporation has been in the news as a result of possible merger and acquisition activity, he added.

“We do not believe that this is the work of any nation state,” he said. “We don’t even think that this is work done on behest of any nation state.”

Thakur said that there has also been no signs on the Dark Web of criminals trying to sell this information on the black market.

“It’s difficult for one entity to be selling this intellectual property and not being exposed over the past three years,” he said.

That leaves just one explanation, he added.

“We think a group of people is deliberately stealing this information for some sort of insider trading in the financial markets,” he said.

However, Symantec hasn’t been able to link the thefts with any stock market activity around the time of the theft, either because the criminals are using the information for longer-term activity, or because they are very good at covering their tracks.

Thakur said that, so far, they’ve left little evidence behind, deleting their malware and cleaning up other traces after themselves.

For example, on occasion particular external servers were used to conduct the attacks. When Symantec investigated, it discovered that the servers were fully paid for, not hacked — but the criminals had paid for them in Bitcoin. And not just in a single Bitcoin payment, but in small batches of Bitcoin from different accounts.

“It made it virtually impossible to figure out where all those different Bitcoin had come from,” he said.

To attack the companies, Morpho uses watering holes — compromised websites known to be visited by people working in the target companies.

“They also used a couple of zero days, so we know they are funded pretty well,” said Thakur. “In the underground, you have to spend a lot of money to get access to the zero days — or have a lot of technical know-how to do it yourself.”

There is another possible explanation for how this group works, according to Ron Arden, vice president at security firm Fasoo.

They could be hackers for hire, ready to go to work for anyone motivated enough to hire them, he said.

These kinds of deals are often arranged through intermediaries, he said.

“About a year ago, there was a Korean company that bribed Dupont employees to steal information so they could recreate chemical products,” he said.

Criminals looking for stock market tips are more likely to be going after financial documents or five-year plans, he said.

“If they’re stealing formulas for pharmaceuticals or manufacturing designs, it’s more likely that they’re trying to sell it to someone who, say, might want to make knock-offs.”