A mercenary hacker group has been linked to a newly disclosed 2013 breach at Microsoft in which the attackers accessed a highly sensitive internal database that held information about software flaws in company products, according to Reuters and prior research conducted by a cohort of cybersecurity experts.
The latest revelations are all the more concerning because the hacker group responsible — dubbed by security researchers as “Wild Neutron,” “ButterFly” or “Zero Wing” — has become virtually untraceable since September 2015. Although experts say that Wild Neutron likely remains active, recent evidence of their exploits is lacking.
“It’s kind of scary to think we haven’t even seen them in a while,” said Brian Bartholomew, a senior security researcher with Kaspersky Lab. “They just sort of fell off the radar … that could be due to a significant change in tactics or tools or just a lull in activity. … It’s anyone’s guess.”
“For high-tech companies and Western governments, this group would be near the top of their list of scary actors that they don’t ever want to see in their networks,” Bartholomew told CyberScoop.
Some researchers believe the group was contracted to break into Apple, Facebook, Twitter and other prominent U.S. technology companies four years ago.
It’s not clear how or if Wild Neutron leveraged the software vulnerabilities it found inside Microsoft to conduct other operations, but Reuters reports that the technology giant acted quickly in 2013 to patch affected software after discovering the digital break-in. Security experts say that the information stored within the aforementioned Microsoft database could have allowed for Wild Neutron to engineer stealthy and perhaps temporarily undetectable intrusions.
“Bad guys with inside access to that information would literally have a ‘skeleton key’ for hundreds of millions of computers around the world,” Eric Rosenbach, former U.S. deputy assistant secretary of Defense for cyber, told Reuters.
In a statement to CyberScoop, a Microsoft spokesperson said: “In February 2013, we commented on the discovery of malware, similar to that found by other companies at the time, on a small number of computers including some in our Mac business unit. Our investigation found no evidence of information being stolen and used in subsequent attacks.”
Leading cybersecurity firms — including Symantec, FireEye, Palo Alto Network, ESET and Kaspersky Lab — lost track of Wild Neutron not long after the elite hacking group successfully compromised a shortlist of America’s most valuable technology firms several years ago.
“Butterfly remains one of the most elusive corporate espionage attack groups we’ve come across to date. Their attack methodology, along with usage of zero-days, and operational security is amongst the top one percent of attackers we track,” said Vikram Thakur, a technical director from Symantec Security Response. “We believe that Butterfly was, and most likely still is, a small tightly-knit group of highly skilled individuals working to steal intellectual property for their own financial gain.”
The most recent publicly available research concerning Wild Neutron was published in 2015 and authored by two separate firms, Kaspersky Lab and Symantec.
In the past, Wild Neutron has been known to precisely target a wide range of different companies and individuals to collect a variety of information — from traditional intelligence about terrorists to business secrets held by multinational corporations.
Victims of the hacker group include organizations from the pharmaceutical, finance, legal and commodities industries. Governments and other diplomatic organizations, however, are not thought to be a major target for Wild Neutron. The apparent disinterest in nation-state targets calls into question what type of customer might employ the group. Focusing on U.S. technology companies could in turn have provided valuable insight into how to compromise other targets.
This odd targeting behavior is the primary reason for why Bartholomew and fellow Kaspersky Lab researcher Juan Andrés Guerrero-Saade speculated last year that the group is likely comprised by contractors working on the behalf of various customers, including possibly nation-states.
For researchers, Wild Neutron represents one of the great mysteries in the threat intelligence space.
A white paper written by Symantec published in July 2015 notes: “Butterfly is a group of … professional attackers who perform corporate espionage with a laser-like focus on operational security. The team is a major threat to organizations that have large volumes of proprietary intellectual property, all of which is at risk of being stolen by this group for monetary gain … There are some indications that this group may be made up of native English speakers, are familiar with Western culture, and may operate from an Eastern Standard Time (EST) time zone.”
Symantec concluded that Wild Neutron once had access to “at least one zero-day exploit, likely two and possibly more.”
The term zero-day is indicative of a software flaw that remains unknown to the software’s creator. Zero-days can be highly disruptive because they provide a window of time for an attacker to breach victims before the vendor is able to properly apply a software update to address the specific security hole.
Very little is known about what Wild Neutron has done for the last two years.
Tracking Wild Neutron is difficult because, among other things, the group follows “fantastic [operational security],” said Bartholomew, and has shown the ability and willingness to “false flag.” In other words, Wild Neutron was previously found injecting random code into their malware and used borrowed techniques to obfuscate attribution from investigators. These actions, in addition to using advanced capabilities, could make it more challenging to associate the group with more contemporary data breach incidents.