In 2013, a hacker group known to Kaspersky Lab as “Wild Neutron” (and which is also known as “Jripbot” and “Morpho”) attacked several high profile companies including Apple, Facebook, Twitter and Microsoft. After the incident was widely publicized, the threat actor went dark for almost a year. In late 2013 and early 2014, the attacks resumed and have continued in 2015.
The actor uses a stolen valid code verification certificate and an unknown Flash Player exploit to infect companies and private users around the world and steal sensitive business information.
Kaspersky Lab researchers were able to identify targets of Wild Neutron in 11 countries and territories, including France, Russia, Switzerland, Germany, Austria, Palestine, Slovenia, Kazakhstan, UAE, Algeria and the United States. They include:Law firms,Bitcoin-related companies,Investment companies,Groups of large companies often involved in M&A deals,IT companies,Healthcare companies,Real estate companies,Individual users.
The focus of the attacks suggests that this is not a nation-state sponsored actor. However, the use of zero-days, multi-platform malware as well as other techniques makes Kaspersky Lab researchers believe it’s a powerful entity engaged in espionage, possibly for economic reasons.