'Harkonnen' espionage Trojan stole data from 300 European SMBs

Unknown malware used in attacks dating back to 2002

Hundreds of UK-registered companies were used for more than a decade as fronts for a huge data-stealing cyber-espionage campaign that targeted 300 SMBs in Germany, Austria and Switzerland, Israeli security startup Cybertinel has claimed.

The firm said it discovered the mystery 'Harkonnen' campaign in early August after chancing upon previously unknown Trojans on the network of an unnamed German customer.

From the details released to the press, this looks like a rare example of a professional hacking-for-hire attack of long standing that possibly also targeted firms beyond the known target list, including in the UK.

Unusual details include the design of the attack that over time involved setting up 833 bogus companies in the UK using a single address in the town of Wakefield, registering legitimate domains and SSL certificates for them which were used to receive stolen data.

Although it sounds impressive, this sort of command and control is highly esoteric when most contemporary criminals simply encrypt data and send it to hijacked (legitimate) hosts. The attacks also eschewed software vulnerabilities, relying instead on the highly targeted nature of the attacks to evade security systems, which it clearly did with ease.

This approach added $150,000 (£100,000) in registration fees, a choice that made it possible for Cybertinel to accurately infer the length of time the campaign had been ongoing as 2002, the point at which these firms started appearing.

The actual date of the detected Harkonnen attack was dated to June 2013, the firm said. The tactic for getting the malware inside targets was a standard phishing attack.

"The network exploited the UK's relatively tolerant requirements for purchasing SSL security certificates, and established British front companies so they could emulate legitimate web services," said Jonathan Gad of distributor Elite Cyber Solutions, Cybertinel's UK partner.

"The German attackers behind the network then had total control over the targeted computers and were able to carry out their espionage undisturbed for many years."

When Gad says 'German' he means that the Trojans were created in Germany although provenance is hard to pin down beyond that general description.

However, on the basis of this evidence, especially its age, Harkonnen does sound more like a small company selling targeted hacking rather than a more general cybercrime operation in Eastern Europe. The motivation would be simple industrial espionage - stealing the secrets of rivals.

A similar platform was used in an infamous software espionage case in Israel in 2005, another Trojan attack that successfully evaded defences and was only discovered after an author demanded a police investigation after some of his unpublished somehow appeared on the Internet.

"At this point, we are aware of the extent of the network, but the damage to the organisations who have been victims in terms of loss of valuable data, income or the exposure of information related to employees and customers is immeasurable, " said Gad.

Although the targets cluster in Germany, Austria and Switzerland it seemed likely that companies in other European countries, including the UK, might also have been affected.

Companies can check whether they are on the victim list by studying a list of IP addresses and domains provided by Cybertinel.

Join the CSO newsletter!

Error: Please check your email address.

Tags CybertinelPersonal Techsecurity

More about SwitzerlandWakefield

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E. Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts