Operation Harkonnen: European Cyber Espionage Went Undetected for 13 Years

antivirus
German gang’s activities compromise 300+ European institutions, including major banks, corporations and government agencies

Longest ever malware operation undermines “confidentiality and integrity of European data”.

Israelis identify the Trojan malware used in the cyber attack

Unsigned malware installed using 800 front companies registered in the UK has been used to target major banks, large corporations and government agencies in Germany, Switzerland and Austria in a sustained cyber attack over a 13-year period. Victims of this latest espionage scandal are thought to have been systematically pumped for sensitive information as far back as 2002. The Trojan responsible has finally been identified by an Israeli security company following reports of unusual activity on a client’s corporate server.

German gang get away with massive and sustained attack for 13 years

From 2002, the German cyber crime network responsible for the attack performed targeted penetrations on over 300 organisations. Their victims included leading commercial companies, government institutions, research laboratories and organisations involved in critical infrastructure in German-speaking countries. The attackers planted Trojans in specific workstations, gained access to sensitive confidential documents and information, and silently delivered this information to the organisations presumed to have ordered the attack.

Israeli cyber security firm CYBERTINEL announced in a press release that it was responsible for discovering the ‘Harkonnen Operation’. The criminals attacked government servers, banks, and large corporations in Germany, Switzerland, and Austria, using over 800 phoney front companies — all with the same IP address — and deploying unique malware to siphon secret and sensitive data off the servers.  The name ‘Harkonnen’ is likely to refer to the villains of the cult science fiction novel Dune, by Frank Herbert. In the story, Baron Vladimir Harkonnen declares that “He who controls the spice, controls the universe”.

Exfiltrated data thought to have been extracted over ‘long periods’.

The Harkonnen Operation was initiated using a ‘spear phishing’ attack  to install two Trojans, which had been created in Germany. Once embedded in the system, the malware identified and copied data from the target computer, which was then sent on to an external domain. The domain that CYBERTINEL traced the information to was registered to a UK company, which happened to share its exact address and contact details with 833 other companies. The majority of these other ‘companies’ had already been dissolved.

These front companies acquired hundreds of domain names, IP addresses and wildcard certificates at an estimated expense of $150,000 in order to camouflage fraudulent activity as a function of legitimate services. The stolen data was collected on servers hosted by these domains.

“This scam has been going for more than a decade, since 2002.” CYBERTINEL CEO Kobi Ben-Naim said, “It had all the trappings of a coordinated, methodical attack by a large, wealthy, and cyber-savvy organization — perhaps a government”. But Ben-Naim said he wouldn’t necessarily go that far: “I prefer not to speculate on whether we are talking about a government program. If anything, it feels to me more like an organized crime operation.”

Worryingly, it would seem that Internet regulators in the UK – thought of by many international corporations as a relatively safe haven for Internet businesses – did not notice that over 800 shell companies shared the same IP addresses and contact information. “This was not necessarily the most sophisticated attack, because there were so many clues that something unusual was going on,” said Ben-Naim. “I think it would be legitimate to ask some questions about the process involved here.”

Read more at: Israeli firm busts 13-year-long Europe hack attack | The Times of Israel http://www.timesofisrael.com/israeli-firm-busts-13-year-long-europe-hack-attack/#ixzz3DV5PqBo2

The mechanism used to deliver the malware was unsigned, meaning that it had not been identified by antivirus experts.

“The network exploited the UK’s relatively tolerant requirements for purchasing SSL security certificates, and established British front companies so they could emulate legitimate web services,” said Jonathan Gad, chief executive of distributor Elite Cyber Solutions, CYBERTINEL’s UK partner. “The German attackers behind the network then had total control over the targeted computers and were able to carry out their espionage undisturbed for many years.” He added, “At this point, we are aware of the extent of the network, but the damage to the organisations who have been victims in terms of loss of valuable data, income or the exposure of information related to employees and customers is immeasurable.” [Source: The Hacker News: 16th September 2014]

IT Governance will report further on this important European hacking story in the coming days, including comments from affected organisations.

In the meantime, CISOs and information security officers should take note of the IP addresses used to infect target organisations/computers and to collect the stolen documents and data – see below:

IP addresses and URLs used in Harkonnen Operation

Domain names IP addresses
64-bit.to64-up.toadcall.deawsmazon.comcastellinews.it

dongtaiwang.com

download-web-shield.com

ebayrt.com

feeds.to

goal.to

googlesyntication.com

howto.to

hunter.to

linktrackingnet.com

linkvista.de

maps-24.to

public-load.com

score.to

setup.to

stopp.to

thats.to

tradesdoubler.com

trans.to

trends.to

tweetprocesor.com

uses.to

vill.to

vree.to

win-64.to

zanox-afiliate.com

*.srv.gutscheinfilter.de

*.srv.ns-lookups.com

82.98.97.176 – 82.98.97.19182.98.97.192/28212.19.32.0 – 212.19.32.15212.19.36.192/27

Source: http://CYBERTINEL.com/wp-content/uploads/2014/09/Appendix-1-HAZARDOUS-IP-AND-URL-%E2%80%93-HARKONNEN-OPERATION.pdf

The attack shows how one small phishing scam that places malware on only one of an organisation’s machines has been able to infect literally hundreds of organisations.

How far have the hackers already penetrated European national security?

That the scammers invested over $150,000 to make its UK businesses appear legitimate would suggest a determined and sustained attack that is likely to be the work of an organised criminal gang. Such a group is likely to have hired some of the best talent available, as the length of time it took to detect the malware points to a detailed understanding of security measures that corporations and governments routinely deploy to detect similar intrusions.

More on this story to follow. Bookmark this page and follow us on Twitter.

IT Governance have recently released an infographic titled: Fighting cyber crime in the UK. This infographic gathers the latest facts and figures on cyber crime in the UK, and offers suitable solutions to fight back.

#   #   #

We can help you to implement effective cyber security procedures and controls using ISO27001.

ISO27001 is the international information security management best-practice standard that will help you protect your information assets, comply with local requirements and thrive as you give your customers confidence that their information is protected.

Find out more about ISO27001 and our packaged solutions to help you implement the Standard at a speed and budget appropriate to you.

https://www.itgovernance.eu/t-iso27001-solutions.aspx

Put your detailed questions to our consultants and learn from the experts:

00 800 48 484 484

Bookmark this page as well!

Leave a Reply

Your email address will not be published. Required fields are marked *