Cybertinel has discovered a sophisticated cybersecurity attack targeting European-based organizations. This discovery, dubbed the "Harkonnen Operation", led them to uncover over 300 companies that were singled out for data exfiltration over a 12 year period. These companies included financial institutions, industrial companies, research laboratories, and government agencies, spanning Germany, Austria, and Switzerland.
While a full analysis of this attack is still underway, it was clear during the initial investigation that this was not your average spear phishing campaign. This was a complex and sustained attack with the goal of gaining confidential data from a large number of critical organizations.
Methodology
The Cybertinel platform was installed in a customer’s network, with the intent of detecting and preventing threats from entering. The Cybertinel platform is able to assess threats through a multi-layer data collection process. Cybertinel has integrated the signature and heuristic-based capabilities from OPSWAT’s Metascan technology as part of their static code analysis layer.
The Cybertinel agents start collecting endpoint data as soon as they are deployed to the network. The analysis of the initial data collected identified two suspicious processes on the computer of a high-ranking employee within the organization. These files were found within the memory of the targeted computer, meaning that the attack was active.
The files discovered were:
GFILTERSVC.EXE
SHA-1 Signature: f0dbf599ec8580186ec05d87535d2a428bf3dcb6
WMDMPS32.EXE:
SHA-1 Signature: f2eadd9e8212dbdb2087001591fe549343ff540b
Cybertinel, leveraging OPSWAT’s Metascan technology, was able to identify the attack tools hidden inside the files. Further behavioral analysis was performed, identifying the true purpose of the files – data theft and remote command and control.
Discovery
The discovery unveiled a sinister new spear phishing threat. The tools located inside the files connected to an external domain, “download-web-shield”, which was registered to a now dissolved UK-based company. Further analysis revealed that the same individual had been used to create over 833 other fake companies.
This company then purchased public IP address ranges, which held hundreds of “user-friendly” URLs designed to lure in unsuspecting users. These domains, mostly hosted by German-based Plus.line, hold valid wildcard HTTPS certificates, so would not be flagged as malicious.
The amount of investment in the infrastructure and software, as well as the resources to support an attack of this magnitude is significant, and signals a larger criminal organization is driving this breach. It’s clear that spear phishing still poses a significant threat to organizations, at all levels. Once in the door, malware can then expand to achieve an even greater foothold.
Click here to read the full report on the "Harkonnen Operation" from Cybertinel.
