The group which has been identified as Wild Neutron or Morpho by Symantec Corp. and Kaspersky Lab, has broken into the networks of over 45 large companies since 2012. Symantec says that the group appears to be among the few that display significant talent without backing from a national government. “They are very focused, wanting everything valuable from the top companies of the world,” said Vikram Thakur, a Symantec senior manager. “The only way they could use it, in our opinion, is through some financial market or by selling it.” Symantec said Morpho had dropped out of sight for months after press accounts of the breaches of Microsoft, Apple and other big tech firms in early 2103 shone a light on their techniques, which included use of a previously unknown “zero-day” flaw in Oracle’s Java platform. Symantec said that Morpho also used a “watering hole” infecting websites that were likely to attract employees of its targets as visitors. Employees of an iPhone developers were targeted through this method. Symantec has identified 49 different organizations in over 20 countries that have fallen victim to the Morpho group since 2012. The majority of them were from the technology, pharmaceutical, commodities and legal sectors and were based in the U.S., Canada or Europe. Kaspersky identified additional companies compromised by the group that are involved in Bitcoin cryptocurrency, investments, healthcare, real estate, merger and acquisition deals, as well as individual users. “Morpho is a skilled, persistent, and effective attack group which has been active since at least March 2012,” researchers from security firm Symantec wrote in a report published Wednesday. “They are well resourced, using at least one or possibly two zero-day exploits. Their motivation is very likely to be financial gain and given that they have been active for at least three years, they must be successful at monetizing their operation.” Researchers from Kaspersky Lab, who released their own independent report on Morpho. The Kaspersky report said that group has been active since at least 2011, and besides the Java zero-day from exploit, Morpho has started using a valid digital certificate issued to Acer Incorporated to get past code-signing requirements built into modern operating systems. They also detected the recent use of an “unknown Flash Player exploit, an indication the attackers may be using yet another zero-day exploit. Morpho has breached about 49 organizations that Symantec knows about since 2012, with the number penetrated each year rising to 14 by 2015. Majority of the victims of Morpho are situated in United States, Europe and Canada according to Symantec. Thakur said his team thinks the group might have about 10 members around the world, with some fluent in English and one or more perhaps having worked at an intelligence agency. They could be offering themselves for hire or could be breaking into companies on speculation and trying to sell the information or trading in shares based on it.