Hackers Spend $150K to Disguise 12 Year Info-Stealing Campaign

Security researchers have lifted the lid on a covert 12-year long data stealing operation in which a German cybercrime gang hired itself out to commit industrial espionage for clients, using over 800 “front” companies registered in the UK.

The 'Harkonnen Operation' was uncovered by Israeli security firm Cybertinel last year when it discovered an information-stealing trojan had been secretly embedded into a client’s infrastructure using spear-phishing techniques.

As it dug deeper, the firm uncovered a vast espionage system which has targeted over 300 organizations in Germany, Austria and Switzerland including tier-one commercial companies, government institutions, research laboratories and critical infrastructure facilities.

Unusually for a targeted attack campaign, the group behind Harkonnen chose not to send the exfiltrated data to a hijacked domain, but instead spent $150,000 setting up legitimately registered companies with legitimate domains and certificates in the UK – making it much harder to detect.

“If they would have hijacked legitimate hosts they would have risked detection much earlier, which would have put their entire attack business at risk,” explained Jonathan Gad of Cybertinel partner Elite Cyber Solutions.

“Remember, technically, the infrastructure was completely real. You could look up the companies at Companies House, or the domains etc, and see a real entity with an address and phone number. These hackers were long-term serious hackers, so they made long-term serious investments which look like they paid off.”

Gad told Infosecurity that the lack of checks made on companies registering domains in the UK helped the gang get away with their campaign for so long.

For example, many of the 833 ‘companies’ were registered with the same physical address in Wakefield but with the same phone number, a German number.

In addition many were closed a few months after opening but the certs were renewed annually.

“It does seem that better checks could be done on company registration/cert buying etc to avoid this kind of scam. In other countries a range of additional checks are done when buying certs, so the UK could include some of these too,” Gad argued.

“Another ‘red flag’ was the fact that the certs bought were ‘wildcard’ – ie they could be used with multiple domains. These cost much more than normal certificates so most organizations don’t buy them. The fact that the hackers did should have made someone want to understand why.”

There’s no hint that the cybercrime gang involved in this operation was state-sponsored.

This is the tale of a highly successful financially motivated gang-for-hire, offering its services to companies for industrial espionage, said Gad.

“The companies attacked are leading, high-end companies in their markets so the information stolen would be of high value in the right hands,” he added.

What’s Hot on Infosecurity Magazine?