11/19/2014

Operation Harkonnen: European Cyber Espionage Went Undetected for 13 Years

This is Google's cache of http://www.itgovernance.eu/blog/european-cyber-espionage-went-undetected-for-13-years/. It is

a snapshot of the page as it appeared on Oct 20, 2014 23:26:21 GMT. The current page could have changed in the
meantime. Learn more
Tip: To quickly find your search term on this page, press Ctrl+F or -F (Mac) and use the find bar.

Text-only version

About Us
Visit our Webshop

IT Governance European Blog

Menu

Blog Home
IT Governance

Business Continuity
PCI DSS

Cyber Security

Data Protection

IT Best Practice

Other Blogs

Operation Harkonnen: European Cyber

Espionage Went Undetected for 13 Years
September 18, 2014 by Michael Shuff Leave a Comment

http://webcache.googleusercontent.com/search?q=cache:2K6zGhSpoQkJ:www.itgovernance.eu/blog/european-cyber-espionage-went-undetected-for-13-years/

1/9

11/19/2014

Operation Harkonnen: European Cyber Espionage Went Undetected for 13 Years

German gangs activities compromise 300+ European institutions, including major

banks, corporations and government agencies
Longest ever malware operation undermines confidentiality and integrity of European data.
Israelis identify the Trojan malware used in the cyber attack
Unsigned malware installed using 800 front companies registered in the UK has been used to
target major banks, large corporations and government agencies in Germany, Switzerland
and Austria in a sustained cyber attack over a 13-year period. Victims of this latest
espionage scandal are thought to have been systematically pumped for sensitive information
as far back as 2002. The Trojan responsible has finally been identified by an Israeli security
company following reports of unusual activity on a clients corporate server.
German gang get away with massive and sustained attack for 13 years
From 2002, the German cyber crime network responsible for the attack performed targeted
penetrations on over 300 organisations. Their victims included leading commercial
companies, government institutions, research laboratories and organisations involved in
critical infrastructure in German-speaking countries. The attackers planted Trojans in specific
workstations, gained access to sensitive confidential documents and information, and silently
delivered this information to the organisations presumed to have ordered the attack.

http://webcache.googleusercontent.com/search?q=cache:2K6zGhSpoQkJ:www.itgovernance.eu/blog/european-cyber-espionage-went-undetected-for-13-years/

2/9

11/19/2014

Operation Harkonnen: European Cyber Espionage Went Undetected for 13 Years

Israeli cyber security firm CYBERTINEL announced in a press release that it was responsible
for discovering the Harkonnen Operation. The criminals attacked government servers,
banks, and large corporations in Germany, Switzerland, and Austria, using over 800 phoney
front companies all with the same IP address and deploying unique malware to siphon
secret and sensitive data off the servers. The name Harkonnen is likely to refer to the
villains of the cult science fiction novel Dune, by Frank Herbert. In the story, Baron Vladimir
Harkonnen declares that He who controls the spice, controls the universe.
Exfiltrated data thought to have been extracted over long periods.
The Harkonnen Operation was initiated using a spear phishing attack to install two Trojans,
which had been created in Germany. Once embedded in the system, the malware identified
and copied data from the target computer, which was then sent on to an external domain.
The domain that CYBERTINEL traced the information to was registered to a UK company,
which happened to share its exact address and contact details with 833 other companies.
The majority of these other companies had already been dissolved.
These front companies acquired hundreds of domain names, IP addresses and wildcard
certificates at an estimated expense of $150,000 in order to camouflage fraudulent activity
as a function of legitimate services. The stolen data was collected on servers hosted by these
domains.
This scam has been going for more than a decade, since 2002. CYBERTINEL CEO Kobi BenNaim said, It had all the trappings of a coordinated, methodical attack by a large, wealthy,
and cyber-savvy organization perhaps a government. But Ben-Naim said he wouldnt
necessarily go that far: I prefer not to speculate on whether we are talking about a
government program. If anything, it feels to me more like an organized crime operation.
Worryingly, it would seem that Internet regulators in the UK thought of by many
international corporations as a relatively safe haven for Internet businesses did not notice
that over 800 shell companies shared the same IP addresses and contact information. This
was not necessarily the most sophisticated attack, because there were so many clues that
something unusual was going on, said Ben-Naim. I think it would be legitimate to ask
some questions about the process involved here.
Read more at: Israeli firm busts 13-year-long Europe hack attack | The Times of
Israel http://www.timesofisrael.com/israeli-firm-busts-13-year-long-europehack-attack/#ixzz3DV5PqBo2
The mechanism used to deliver the malware was unsigned, meaning that it had not been
identified by antivirus experts.
The network exploited the UKs relatively tolerant requirements for purchasing SSL security
http://webcache.googleusercontent.com/search?q=cache:2K6zGhSpoQkJ:www.itgovernance.eu/blog/european-cyber-espionage-went-undetected-for-13-years/

3/9

11/19/2014

Operation Harkonnen: European Cyber Espionage Went Undetected for 13 Years

certificates, and established British front companies so they could emulate legitimate web
services, said Jonathan Gad, chief executive of distributor Elite Cyber Solutions,
CYBERTINELs UK partner. The German attackers behind the network then had total control
over the targeted computers and were able to carry out their espionage undisturbed for
many years. He added, At this point, we are aware of the extent of the network, but the
damage to the organisations who have been victims in terms of loss of valuable data, income
or the exposure of information related to employees and customers is immeasurable.
[Source: The Hacker News: 16th September 2014]
IT Governance will report further on this important European hacking story in the coming
days, including comments from affected organisations.
In the meantime, CISOs and information security officers should take note of the IP
addresses used to infect target organisations/computers and to collect the stolen documents
and data see below:
IP addresses and URLs used in Harkonnen Operation

Domain names

IP addresses

64-bit.to64-

82.98.97.176

up.toadcall.deawsmazon.comcastellinews.it 82.98.97.19182.98.97.192/28212.19.32.0
212.19.32.15212.19.36.192/27
dongtaiwang.com

download-web-shield.com

ebayrt.com

feeds.to

goal.to

googlesyntication.com

howto.to

hunter.to

http://webcache.googleusercontent.com/search?q=cache:2K6zGhSpoQkJ:www.itgovernance.eu/blog/european-cyber-espionage-went-undetected-for-13-years/

4/9

11/19/2014

Operation Harkonnen: European Cyber Espionage Went Undetected for 13 Years

linktrackingnet.com

linkvista.de

maps-24.to

public-load.com

score.to

setup.to

stopp.to

thats.to

tradesdoubler.com

trans.to

trends.to

tweetprocesor.com

uses.to

vill.to

vree.to

win-64.to

zanox-afiliate.com

*.srv.gutscheinfilter.de

http://webcache.googleusercontent.com/search?q=cache:2K6zGhSpoQkJ:www.itgovernance.eu/blog/european-cyber-espionage-went-undetected-for-13-years/

5/9

11/19/2014

Operation Harkonnen: European Cyber Espionage Went Undetected for 13 Years

*.srv.ns-lookups.com

Source: http://CYBERTINEL.com/wp-content/uploads/2014/09/Appendix-1-HAZARDOUS-IPAND-URL-%E2%80%93-HARKONNEN-OPERATION.pdf
The attack shows how one small phishing scam that places malware on only one of an
organisations machines has been able to infect literally hundreds of organisations.
How far have the hackers already penetrated European national security?
That the scammers invested over $150,000 to make its UK businesses appear legitimate
would suggest a determined and sustained attack that is likely to be the work of an
organised criminal gang. Such a group is likely to have hired some of the best talent
available, as the length of time it took to detect the malware points to a detailed
understanding of security measures that corporations and governments routinely deploy to
detect similar intrusions.
More on this story to follow. Bookmark this page and follow us on Twitter.
IT Governance have recently released an infographic titled: Fighting cyber crime in the UK.
This infographic gathers the latest facts and figures on cyber crime in the UK, and offers
suitable solutions to fight back.
#

We can help you to implement effective cyber security procedures and controls using
ISO27001.
ISO27001 is the international information security management best-practice standard that
will help you protect your information assets, comply with local requirements
and thrive as you give your customers confidence that their information is protected.
Find out more about ISO27001 and our packaged solutions to help you implement the
Standard at a speed and budget appropriate to you.
http://www.itgovernance.eu/t-iso27001-solutions.aspx
Put your detailed questions to our consultants and learn from the experts:

http://webcache.googleusercontent.com/search?q=cache:2K6zGhSpoQkJ:www.itgovernance.eu/blog/european-cyber-espionage-went-undetected-for-13-years/

6/9

11/19/2014

Operation Harkonnen: European Cyber Espionage Went Undetected for 13 Years

00 800 48 484 484

Bookmark this page as well!

100

Shares

17

20

63

Filed Under: Breaches and Hacks, Cyber Security

Share your thoughts

Enter your comment here...

SUBSCRIBE TO OUR BLOG!

Name

Email *
http://webcache.googleusercontent.com/search?q=cache:2K6zGhSpoQkJ:www.itgovernance.eu/blog/european-cyber-espionage-went-undetected-for-13-years/

7/9

11/19/2014

Operation Harkonnen: European Cyber Espionage Went Undetected for 13 Years

SUBSCRIBE

DOWNLOAD OUR GREEN PAPERS

SEARCH
Search this website

JOIN US ON TWITTER
Tweets

Follow

IT Governance
@ITGovernance

1h

Security firm G4S sees share price knocked by

12 #hoax bit.ly/1AbCcgm
Show Summary
IT Governance
@ITGovernance

1h

Citigroup, U.S. Bank and HSBC quizzed by top

Democrats over data breaches

Tweet to @ITGovernance

ARCHIVES
Select Month

TAGS
APT Business Continuity
COBIT

Cloud Computing

CyberCrime Cyber Resilience

http://webcache.googleusercontent.com/search?q=cache:2K6zGhSpoQkJ:www.itgovernance.eu/blog/european-cyber-espionage-went-undetected-for-13-years/

8/9

11/19/2014

Operation Harkonnen: European Cyber Espionage Went Undetected for 13 Years

Cyber Security
CyberTerror

CyberWar

Protection Act

data breach

Data

Data Security

DPA eu data protection

directive european data protection directive

GDPR

ISMS

ISO 27001 IT-GRC

ITIL ITIL 2011 updates it service

management

ITSM

jobs PCI DSS Training

vulnerability

2003-2014 IT Governance Ltd | Acknowledgement of Copyrights | IT Governance Trademark Ownership Notification |

eCommerce by Xanthos

http://webcache.googleusercontent.com/search?q=cache:2K6zGhSpoQkJ:www.itgovernance.eu/blog/european-cyber-espionage-went-undetected-for-13-years/

9/9