A 12-year-long European cybercrime operation targeting more than 300 banks,
governments, research labs, critical infrastructure facilities and
more has finally been discovered and scuppered.
Israel-based Cybertinel and Elite Cyber Solutions discovered the
network, which has been using spear phishing to infiltrate and
plant trojans in organisations in Germany, Austria and Switzerland.
The hack, nicknamed the Harkonnen Operation, achieved this with the
help of 833 front companies registered in the UK.
In a statement, Elite Cyber Solutions chief executive Jonathan
Gad said the operation was made possible because of “the UK’s
relatively tolerant requirements for purchasing SSL security
certificates”. You can find the full list of domain names, along
with four offending IP addresses, here.
“The German attackers behind the network then had total control
over the targeted computers and were able to carry out their
espionage undisturbed for many years,” said Gad.
The operation has been ongoing for so long, unencumbered, the
security companies expect to discover infiltration across other
nations in Europe — including here in the UK.
The good news is the perpetrators have apparently been
identified — or at least, their digital footprint has been — and
the affected companies are collaborating with German police.
The problem right now is knowing just how deep the infiltration
has gone, and what data has been taken. The security companies have
only noted that it had been targeting “key executives” — including
international clients — “to deliver sensitive and confidential
“At this point, we are aware of the extent of the ‘Harkonnen
Operation’, but the damage to the organisations who have been
victims in terms of loss of valuable data, income or the exposure
of information related to employees and customers is immeasurable,”
CEO of Cybertinel Kobi Ben-Naim, however, has told ZDNet the operation relates to “things like studies on
biological warfare and nuclear physics, infrastructure security
plans, corporate financial documents,” along with bank account and
credit card details. He adds that the perpetrators were able to
carry out the operation for so long, because they never stayed in a
system for very long — except in one case we know of, which is
what scuppered them in the end.
The system was discovered when Cybertinel was implementing its
security platform at one of the operation’s targets, which is
described as a 30-year-old company with 300 employees, which holds
“extremely sensitive information with a strategic value to many
adverse organisations and countries”.
In this specific case, the operation had only been running since
2013, making use of two German-made Trojans. Working backwards, the security firms discovered the
data was being sent to a domain registered in the UK, which had the
same contact details and address as another 833 companies. Those
companies had footed a bill of around $150,000 (£92,600) to buy up
domain names and IP addresses.
In a report, the security agencies conclude, rather troublingly:
“No organisation, public or private, is safe from commercial,
industrial or national threats.”