12 years old and finally over: Is the Harkonnen Operation the longest-running malware campaign so far?

Cyber-criminals targeting European corporations and governments managed to stay undetected since 2002 - until one security company found them.
Written by David Shamah, Contributor

The end has finally come for probably the longest-lived online malware operation in history — a scam that since 2002 has been targeting banks, corporations and governments in Germany, Switzerland, and Austria.

The 'Harkonnen Operation', as it has become known, involved more than 800 UK-based phony front companies — all using the same IP address – that helped install malware on victims' servers and networks. In all, some 300 corporations and organisations were victims of the well-organised and executed attack.

The 'Harkonnen Operation' wasn't necessarily the most sophisticated hack attack ever, according to Kobi Ben-Naim, CEO of CyberTinel, the head of the Israel security company that stopped the attack — but having what appeared to be legitimate mailing addresses allowed the organisations to register with DNS servers and made it easier for the scammers to obtain digital security certificates.

"Thanks to the certificates, the hacker fronts were considered legitimate, so no one bothered checking them out," Ben-Naim said – allowing the operation to go on for nearly 13 years.

CyberTinel got involved in the matter when a German client — "a large firm you have definitely heard of," Ben-Naim said — noticed traffic inconsistencies on its servers. Investigating the inconsistencies, CyberTinel was able to trace the activity to what appeared to be a command and control server in the Germany.

The malware, Ben-Naim said, was more or less a common or garden variety — but the hackers made sure to use a different software wrapper each time, ensuring that there was no specific signature for the malware.

In addition, the fact that it was installed via spear-phishing attacks from companies that appear legitimate — after all, they had the appropriate digital security certificates — gave the hackers even more anonymity, enabling them to hit very secure servers and steal all manner of top-secret documents.

"We're talking about things like studies on biological warfare and nuclear physics, infrastructure security plans, corporate financial documents," Ben-Naim said — as well as the "usual" bank account and credit card data, depending on the victim.

How were the hackers able to get away with it for so long? One of their secrets — and the one that eventually gave them away — was that they didn't contact a server until they knew exactly what they wanted.

"They were after very specific items, so their method of operation was to swoop in and get out very quickly in the hope that nobody would notice," Ben-Naim said.

And it worked for over a decade — until the hackers made the fatal mistake of violating their own rules, and "stayed on our client's server a little too long — long enough that their activity was noticed," he said.

That "extra effort" in targeting CyberTinel's client was all the company needed. Over a period of months, the company's staff observed the C&C server's activity, and eventually were able to trace its whereabouts.

When it checked for ownership information, the company was shocked to find that the IP address was registered to no fewer than 800 companies, most of them defunct. Putting two and two together, CyberTinel staff were able to quickly tie the server to other hack attacks, eventually figuring out that they were all part of a single operation: Harkonnen.

Ben-Naim won't speculate who or what is behind the hack, although he did say that "it feels more like an organised crime operation than something a government would do," adding that the scammers invested over $150,000 — a kingly sum for hackers — in keeping the operation going.

But CyberTinel does know who the victims were — and, more importantly, who's responsible.

Jonathan Gad of Elite Cyber Solutions, CyberTinel's UK partner, said that "the network exploited the UK's relatively tolerant requirements for purchasing SSL security certificates, and established British front companies so they could emulate legitimate web services. The German attackers behind the network then had total control over the targeted computers and were able to carry out their espionage undisturbed for many years."

"There were many clues that something unusual was going on that could have tipped off regulators," Ben-Naim said. "I think it would be legitimate to ask some questions about the process involved here."

Read more on security

Editorial standards