Credit: Matt Kapko
Symantec has identified a group of cybercriminals, whom they've named "Morpho," as targeting corporate intellectual property for financial gains, with Twitter, Facebook, Apple and Microsoft among those hit.
"Attackers going after intellectual property is not that usual," said Vikram Thakur, senior manager at Symantec.
However, those attackers tend to be state-sponsored and target information or military or other strategic importance.
"That kind of intellectual property is of high value to nations across the board," he said.
But Morpho goes after research documents produced by civilian firms across a wide variety of industries.
In 2013, the companies hit tended to be technology companies, then Morpho began going after legal and pharmaceutical firms.
"In the last month, we started seeing commodity companies hit -- oil, natural gas, and mining," said Thakur.
What all these companies have in common is that they're publicly listed, and most are in the Fortune 200.
Another common thread is that attacks often occur after the corporation has been in the news as a result of possible merger and acquisition activity, he added.
"We do not believe that this is the work of any nation state," he said. "We don't even think that this is work done on behest of any nation state."
Thakur said that there has also been no signs on the Dark Web of criminals trying to sell this information on the black market.
"It's difficult for one entity to be selling this intellectual property and not being exposed over the past three years," he said.
That leaves just one explanation, he added.
"We think a group of people is deliberately stealing this information for some sort of insider trading in the financial markets," he said.
However, Symantec hasn't been able to link the thefts with any stock market activity around the time of the theft, either because the criminals are using the information for longer-term activity, or because they are very good at covering their tracks.
Thakur said that, so far, they've left little evidence behind, deleting their malware and cleaning up other traces after themselves.
For example, on occasion particular external servers were used to conduct the attacks. When Symantec investigated, it discovered that the servers were fully paid for, not hacked -- but the criminals had paid for them in Bitcoin. And not just in a single Bitcoin payment, but in small batches of Bitcoin from different accounts.
"It made it virtually impossible to figure out where all those different Bitcoin had come from," he said.
To attack the companies, Morpho uses watering holes -- compromised websites known to be visited by people working in the target companies.
Sign up for CIO Asia eNewsletters.