A 12-year-old cybercrime operation targeting more than 300 governments, banks, SMBs and critical infrastructure facilities in Europe has finally been discovered and put to an end.
Israel-based Cybertinel and Elite Cyber Solutions discovered the network, which has been using spear phishing to plan Trojans and infiltrate organizations in Germany, Switzerland and Austria. The hack campaign called ‘Harkonnen Operation’ achieved the feat with the assistance of 833 front companies registered in the UK.
The Harkonnen campaign was discovered in early August after risking upon unknown Trojans on the network of an unnamed German customer. The details obtained by the researchers suggest this is a rare example of a professional hacking-for-hire attack of long standing that also targeted firms possibly beyond the known list of targets, including banks, SMBs and other organizations in the UK.
The Hackonnen Operation, according to CEO of CyberTinel Kobi Ben-Naim, had appeared to take the shape of legitimate mailing addresses enabling organizations to register with DNS servers and making it easier for hackers to obtain digital security certificates.
“Thanks to the certificates, the hacker fronts were considered legitimate, so no one bothered checking them out,” Ben-Naim stated – allowing the operation to continue for more than a decade.
In a statement obtained by Wired UK, chief executive at Elite Cyber Solutions, Jonathan Gad, informed the operation was made possible due to “the UK’s relatively tolerant requirements for purchasing SSL security certificates”. The full list of domain names, and four offending IP addresses, can be obtained from this link.
“The German attackers behind the network then had total control over the targeted computers and were able to carry out their espionage undisturbed for many years,” Gad said. “The damage to the organizations who have been victims in terms of loss of valuable data, income or the exposure of information related to employees and customers is immeasurable”
The Harkonnen Operation attack was detailed in a special report that found that companies basically became victims because of Trojans that foisted via spear-phishing attacks. It was not known if anti-virus was not run at the targeted organizations, failure to detect the threat or could not due to the malware being obfuscated or encrypted. The Trojans detected in the attacks were GFILTERSVC.exe from the generic family of Trojans: wmdmps32.exe & Trojan.win7.generic!.bt.
The attacks were first discovered in a German organization holding “extremely sensitive information” that were using security equipment worth tens of thousands of Euros run by security personnel. The researchers said the equipment was operated in compliance with the current standards, but the malware still managed to get in. Criminals spent $150,000 dollars to buy hundreds of IP addresses, domain names and wildcard certificates to make their UK businesses look legitimate.
Taking measures against such threats
How the hackers were able to get away with this activity for 12 years? One of their secrets was they didn’t contact a server until they knew what they wanted.
“They were after very specific items, so their method of operation was to swoop in and get out very quickly in the hope that nobody would notice,” Ben-Naim revealed.
Companies can combat such threats with solutions like Massive’s Strixus, which use natural language processing and rule sets interpreted by partner analysts, which results in a critical ‘human in the loop’, which brings down false positives and focuses on alerts with actionable intelligence.
Such solutions can detect any effort made in targeting corporations and trace the whereabouts of the criminals by noticing server and system activity. It should be like keeping the finger on the pulse with close to real-time alerts, all with real human input, details on the incident, threat levels indicated, sent directly to the personnel in charge of security.