More evidence has emerged that sophisticated hacking rings are targeting pharma companies for financial gain. The latest report accuses a hacking group of breaking into the systems of three major European pharma companies over the space of 18 months.
Security tech company Symantec ($SYMC) uncovered details of the group's activities, which are reminiscent of the biotech-targeting hacking ring FIN4 in some regards. Like FIN4, the group identified by Symantec--which has been variously dubbed Morpho, Wild Neutron and Butterfly--is interested in high-level corporate information, appears to be unaffiliated to any country and is fluent in both the English language and its culture. Butterfly first came to the world's attention when Apple ($AAPL), Facebook ($FB), Microsoft ($MSFT) and Twitter ($TWTR) were all attacked early in 2013.
The group dipped back below the radar following the attacks but continued to seek access to corporate IT systems. In January 2014, the group's attention reportedly shifted to a major European pharma company. Hackers broke into the IT system at one of the firm's small regional offices and used it as a launchpad from which to attack the rest of the business, infiltrating both its European headquarters and U.S. office. In September 2014 and June 2015, the group gained access to computers in the regional offices of another pair of top European drugmakers.
Symantec said the most recent attack was identified quickly but in the other cases, particularly the January 2014 breach, the hackers avoided detection for a period of time. None of the reports into the breaches have disclosed what information was obtained by the hackers, but Symantec has given a broad overview of what the group wants and how it tries to obtain the information. In many cases, the group has targeted email servers, potentially giving it access to the same sort of private, stock-moving information sought by FIN4. Content management servers are another target.
Butterfly is known to have used at least one zero-day vulnerability--a security flaw the software vendor is unaware of--to access a system. Once inside, it goes from computer to computer looking for a machine that is useful, such as a machine that allowed the group to put a backdoor in a user's profile with a Citrix profile management application. When the hackers come across a useless machine, they cover their tracks and keep searching.
- read the release
- here's the report (PDF)
- and Kaspersky Labs' analysis