'Harkonnen' espionage Trojan stole data from 300 European SMBs

Unknown malware used in attacks dating back to 2002

Hundreds of UK-registered companies were used for more than a decade as fronts for a huge data-stealing cyber-espionage campaign that targeted 300 SMBs in Germany, Austria and Switzerland, Israeli security startup Cybertinel has claimed.

The firm said it discovered the mystery 'Harkonnen' campaign in early August after chancing upon previously unknown Trojans on the network of an unnamed German customer.

From the details released to the press, this looks like a rare example of a professional hacking-for-hire attack of long standing that possibly also targeted firms beyond the known target list, including in the UK.

Unusual details include the design of the attack that over time involved setting up 833 bogus companies in the UK using a single address in the town of Wakefield, registering legitimate domains and SSL certificates for them which were used to receive stolen data.

Although it sounds impressive, this sort of command and control is highly esoteric when most contemporary criminals simply encrypt data and send it to hijacked (legitimate) hosts. The attacks also eschewed software vulnerabilities, relying instead on the highly targeted nature of the attacks to evade security systems, which it clearly did with ease.

This approach added $150,000 (£100,000) in registration fees, a choice that made it possible for Cybertinel to accurately infer the length of time the campaign had been ongoing as 2002, the point at which these firms started appearing.

The actual date of the detected Harkonnen attack was dated to June 2013, the firm said. The tactic for getting the malware inside targets was a standard phishing attack.

"The network exploited the UK's relatively tolerant requirements for purchasing SSL security certificates, and established British front companies so they could emulate legitimate web services," said Jonathan Gad of distributor Elite Cyber Solutions, Cybertinel's UK partner.

"The German attackers behind the network then had total control over the targeted computers and were able to carry out their espionage undisturbed for many years."

When Gad says 'German' he means that the Trojans were created in Germany although provenance is hard to pin down beyond that general description.

However, on the basis of this evidence, especially its age, Harkonnen does sound more like a small company selling targeted hacking rather than a more general cybercrime operation in Eastern Europe. The motivation would be simple industrial espionage - stealing the secrets of rivals.

A similar platform was used in an infamous software espionage case in Israel in 2005, another Trojan attack that successfully evaded defences and was only discovered after an author demanded a police investigation after some of his unpublished somehow appeared on the Internet.

"At this point, we are aware of the extent of the network, but the damage to the organisations who have been victims in terms of loss of valuable data, income or the exposure of information related to employees and customers is immeasurable, " said Gad.

Although the targets cluster in Germany, Austria and Switzerland it seemed likely that companies in other European countries, including the UK, might also have been affected.

Companies can check whether they are on the victim list by studying a list of IP addresses and domains provided by Cybertinel.

This story, "'Harkonnen' espionage Trojan stole data from 300 European SMBs" was originally published by Techworld.com.

Copyright © 2014 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!