One of the biggest and certainly longest-living professional hacking operations in the world is history — thanks to an Israeli company that discovered that thieves have been using a single system to break into computers for more than a decade.
Israeli cyber-security firm Cybertinel said Wednesday that it has broken the “Harkonnen Operation,” which attacked government servers, banks, and large corporations in Germany, Switzerland, and Austria, using over 800 phony front companies — all with the same IP address — using unique malware to siphon secret and sensitive data off the servers.
The most shocking part, said Cybertinel CEO Koby Ben-Naim: “This scam has been going for more than a decade, since 2002.”
Working from its Tel Aviv offices in conjunction with a partner in the UK, Cybertinel discovered the scam in August, after the company was invited in June by a German client to investigate a security breach it could not identify. “They knew they had been attacked, but couldn’t figure out how,” said Ben-Naim. That’s because the Trojan horse that delivered the malware was unsigned, meaning that it had not been identified by anti-virus experts.
“Usually malware is mass-distributed in a particular package, and once it’s identified as malware, anti-virus companies are able to update their systems to detect and eliminate it on client’s computers,” said Ben-Naim.
The unique twist was that the rogue Trojan horse application used to deliver the malware was different in each attack, said Ben-Naim, so no one “connected the dots” between one attack and the next. The only clue — and the one Cybertinel used to confirm its suspicions that the scam was much bigger than anyone realized — was the fact that the Trojans and the malware were all delivered from a narrow band of IP addresses, indicating a relationship among them.
In fact, the malware came from a phony company in the UK, which delivered the poisonous programs via e-mail and documents that surreptitiously installed the bad code on victims’ servers. Cybertinel traced the malware to the UK address — but checking out the DNS information on its owner, discovered that it was being used by no fewer than 833 companies. Not only was the IP address the same — so was the contact information.
Why would employees of the German company click on the links that enable the hackers to do their dirty work? To make the scam look even more legitimate, the hackers purchased digital security certificates for the phony firms. Thanks to the certificates, the hacker fronts were considered legitimate, so no one bothered checking them out, said Ben-Naim — and that’s one reason the scam was able to go on for so long.
The digital certificate part of the operation was a stroke of hacker genius, said Ben-Naim, but it also indicates that whoever was behind the scam had deep pockets. “They invested about $150,000 to make this work, so clearly we are talking about professionals.” It emerged that there were two sets of professionals, said Ben-Naim. “The hackers were hired hands, working for some other entity, which was interested in a wide variety of material.”
In the past month, Cybertinel has been in touch with 300 current and former victims, who discovered digital clues indicating that the hackers stole sensitive documents — studies on biological warfare and nuclear physics, as well as plans for key (and top-secret) infrastructure, along with the “usual” bank account and credit card data.
It had all the trappings of a coordinated, methodical attack by a large, wealthy, and cyber-savvy organization — perhaps a government — but Ben-Naim said he wouldn’t necessarily go that far. “I prefer not to speculate on whether we are talking about a government program,” he said. “If anything, it feels to me more like an organized crime operation.”
Most surprising, said Ben-Naim, was how Internet regulators in the UK did not notice that over 800 shell companies were using the same IP addresses and contact information. “This was not necessarily the most sophisticated attack, because there were so many clues that something unusual was going on,” he said. “I think it would be legitimate to ask some questions about the process involved here.”
Cybertinel is about three years old, and has clients around the world. They include governments, armies, large banks, and other major institutions. “Our system is protecting thousands of endpoints in these organizations, recording discovery and prevention of globally headlined attacks while providing the deepest threat protection available,” said Ben-Naim, while declining to name any of the company’s clients.
The Harkonnen attacks showed just how easy it is for hackers to pull off a scam, said Ben-Naim. “One of the secrets of their success was that they were in and out quickly, so even though they used the same infrastructure to attack companies, they only remained on a server for a few months.” In the case of their German client — a 30 year old corporation with over 300 employees — the hackers stayed on a little longer than usual, giving the company an opportunity to notice that something was amiss.
“The fact that the attacks were relatively short and specifically directed at certain data, and that the Trojans were unsigned, all contributed to the failure by anyone to realize that a major organized attack was going on for such a long time,” he said. “’You can’t be too careful’ is a lesson I would take from this incident.”