Harkonnen Operation - Malware Campaign that Went Undetected for 12 Years

[Matsuda]

A huge data-stealing cyber espionage campaign that targeted Banks, Corporations and Governments in Germany, Switzerland, and Austria for 12 years, has finally come for probably the longest-lived online malware operation in history.

The campaign is dubbed as 'Harkonnen Operation' and involved more than 800 registered front companies in the UK — all using the same IP address – that helped intruder installs malware on victims' servers and network equipments from different organizations, mainly banks, large corporations and government agencies in Germany, Switzerland and Austria.

In total, the cyber criminals made approximately 300 corporations and organisations victims of this well-organised and executed cyber-espionage campaign.

CyberTinel, an Israel-based developer of a signature-less endpoint security platform, uncovered this international cyber-espionage campaign hitting Government institutions, Research Laboratories and critical infrastructure facilities throughout the DACH (Germany, Austria, Switzerland) region.

From the analysis and research work done by CyberTinel, it is believed that the hackers had first penetrated computer networks as far back as 2002 and, according to Elite Cyber Solutions chief executive Jonathan Gad, the damage done to companies since then was "immeasurable".

"The German attackers behind the network then had total control over the targeted computers and were able to carry out their espionage undisturbed for many years." He added, "At this point, we are aware of the extent of the network, but the damage to the organisations who have been victims in terms of loss of valuable data, income or the exposure of information related to employees and customers is immeasurable." "The network exploited the UK’s relatively tolerant requirements for purchasing SSL security certificates, and established British front companies so they could emulate legitimate web services," said Jonathan Gad, chief executive of distributor Elite Cyber Solutions, Cybertinel’s UK partner.

The Harkonnen Operation attack was detailed in a special report [pdf] titled, "HARKONNEN OPERATION CYBER-ESPIONAGE," in which the researchers analysed and discovered companies that were compromised by seemingly generic trojans foisted through spear-phishing attacks.

The fact that the malware was installed via spear-phishing attacks from companies that appear legitimate — with the appropriate digital security certificates — gave the cyber criminals even more anonymity, enabling them to hit very secure servers and steal all types of top-secret documents.

The trojans detected in the attacks were GFILTERSVC.exe from the generic trojan familyTrojan.win7.generic!.bt and wmdmps32.exe.

It is still unclear that who or what is behind the hack, but researchers believe that the malware campaign seems to be more like an organised crime operation than something a government intelligence agencies would do.

The scammers invested over $150,000 — a kingly sum for hackers — on hundreds of domain names, IP addresses and wildcard certificates to make its UK businesses appear legitimate. and in keeping the operation going.



Original Article