Security researchers have discovered a European cyber crime operation that targeted more than 300 European banks, corporations and government agencies for more than 12 years without being caught.
The hacker collective, dubbed the "Harkonnen Operation", exploited a loophole in the UK that allowed it to launch spear-phishing attacks to infiltrate and plant Trojans in organisations in Germany, Switzerland and Austria, stealing and accessing sensitive and confidential data.
The operation was discovered by Israel-based security company Cybertinel alongside Elite Cyber Solutions, which said the UK's relatively tolerant requirements for purchasing SSL security certificates allowed it to continue undetected for so long. It targeted information such as studies on biological warfare and nuclear physics, infrastructure security plans and corporate financial documents.
Elite Cyber Solutions chief executive Jonathan Gad said in a blog post: "The German attackers behind the network then had total control over the targeted computers and were able to carry out their espionage undisturbed for many years.
"At this point we are aware of the extent of the Harkonnen Operation, but the damage to the organisations that have been victims – in terms of loss of valuable data, income or the exposure of information related to employees and customers – is immeasurable."
The attack was initiated using a spear-phishing penetration and executed by running two system Trojans created in Germany. Once planted in workstations at the targeted companies, the Trojans were able to deliver sensitive and confidential data to the cyber crime network.
Trojans siphoning critical information were detected immediately and further investigation led to the source of the breach, revealing that the original domain was registered by a UK company.
Thanks to the certificates, the hacker fronts were considered legitimate, so no one bothered checking them, thus allowing the operation to go on for nearly 13 years. However, it seems the culprits' digital footprints have been identified and the affected companies are collaborating with German police to track them down.
To get more insights on cyber security, register for the V3 Security Summit now.
Dr Kuan Hon criticises GDPR consent emails that will only eviscerate marketing databases and 'media misinformation'
Apple squashes Steam Link app on 'business conflicts' grounds
Philip Hammond wants to forget rules that the UK agreed with the EU to ban non-European companies from the satellites
Instapaper to 'go dark' in Europe until it can work out GDPR compliance