Exclusive Interview : Operation Harkonnen Malware disguised as ‘harmless Adware’

Further details are emerging today of the methods used in the massive and long-lasting Operation Harkonnen cyber attack (‘Harkonnen Hack’) methodology that has allegedly exposed the data of 300 leading European organisations since 2003.

The victims of the German gang thought to be responsible include banks, government organisations and major corporations, most of them based in Germany and Switzerland – so far, none of whom have wished to be identified.

To find out more about the attacks, I interviewed cyber security expert Jonathan Gad of Elite Cyber Solutions.

MS: How did your team manage to identify the attacks, considering that they had gone unnoticed for over a decade?

JG:The Operation Harkonnen attacks were highly sophisticated. We have had to explain to a number of cyber researchers and analysts in the last few days that the attack vector was an adware .exe that looked relatively harmless when it was detected by traditional scans. The Cybertinel signatureless approach operates at a much lower level than virus signature detection. The team here understand how a genuine State-level hacker thinks and works, so we were able to conclude after deploying Cybertinel that an adware application  was camouflaging a highly-sophisticated attack using unsigned trojans adapted for this particular purpose.

In the case of our client, two Trojans were embedded in the infected system and used to ex-filter data from the target computers to an external domain. The analysis revealed the domain was registered by a UK company, with the exact address and contact details of 833 other companies, most of which are already dissolved. The attack strategy though relied on the trojans being well-hidden and back-doors used only infrequently and for short periods of time; thus defeating IT security based on AV signature scans and analysis of logs to identify suspicious events. It’s the way that the trojans were hidden that enabled the hackers to get away with this sustained attack for so long. It was a successful operation.

MS: How did Cybertinel’s signatureless endpoint technology find these trojans?

JG: With Cybertinel you have the ability to constantly monitor and identify threats, discovering their source, behaviour, strategy, history and creators, while providing immediate remedies and countermeasures for malicious code. Scanning is nice, but periodic – i.e. there is a period of time that the malware will be in place before being detected. More important still is the need for the technology to be able to detect even the smartest malware… and again, the Cybertinel product is fantastic at that. An agent such as Cybertinel’s that sits on the endpoint and constantly monitors will probably be the fastest and most effective way of detecting an attack. In the Harkonnen attack, for example, the malware was discovered just minutes after Cybertinel was installed. Other approaches based on signature scanning failed to spot the problem at all, providing the hackers with an open door to some systems over an exceptionally long timeframe.

MS: Would penetration testing have helped to defend against this attack?

JG: Depending on who does the work in terms of their skill level, pen testing can be important as it can be used to show the ‘holes’ in the network, but I believe that an organisation needs to assume that the perimeter will be breached if the hackers are determined enough, so rapid detection is essential. I have known organisations to pen test just once a year, which is too little to have much chance of preventing determined hacks like this one. Remember, the average detection time is estimated at between 8-9 months. That leaves the hackers all the time they need to cause damage, steal data, etc.

If the detection of sophisticated threat agents can be reduced to minutes, the hackers will have a much tougher time. That’s not to say that pen tests are a bad idea though; especially if they are conducted by a skilled hacker who knows what to look for as opposed to IT staff running a vulnerability scan with very little knowledge of what represents a possible threat agent at work.

MS: Has there been much interest in the Harkonnen story from the industry?

JG: Yes, although we’ve had to explain to a number of cyber researchers that the threat was not coming from harmless adware but what it was carrying inside while it was installed on the victim’s systems. I read a tweet on your Twitter page from someone making the same point, so let’s be clear: the threat here came from trojans adapted for a specific task.

The attackers went to a great deal of trouble to mask the trojans used and even experienced analysts found it hard to believe that the adware .exe could be used to camouflage the trojans involved. Trojans are the gate breakers for other programs. Their basic function is to be small. So small that they are unnoticed when bundled with other software. They lodge themselves in an obscure part of the registry, and open a port from the host system that allows intrusion by a remote user or program download.

Cybertinel’s endpoint solution reverse engineers code like this. With our software, it is possible to understand where the malware came from, even down to which machine it was written on, when and by whom. We know the likely attack vectors involved by thinking like the hacker. The range of skills needed is much greater than is required to simply isolate a virus signature. For example, Cybertinel had a case where a PC keyboard was embedded with an electronic bug to log the user’s activity. Through analysis of the electrical requirements of the system in question, they were able to say through software that a device had been added to provide attack infrastructure. Without this assistance, the client could easily have continued using the keyboard, unware of the monitoring device installed, for years. Determined attacks of this kind are the work of some very clever minds and only a team that lives and breathes hacking is able to devise effect countermeasures in this cat and mouse game of intellect. This necessitates getting down to the lowest level of activity in a system.

MS: What was taken in the attacks involving the 300 target organisations?

JG: Obviously, I’m not in a position to get specific. I can say that the data taken was selected for its quality not quantity. They were definitely ‘picky’! The files stolen contained highly-sensitive information of value to large entities and State officials. The attackers carried out detailed reconnaissance The actual malware was only dropped on an “as-needed” basis – so it was much harder to detect – and removed after a very short time …again making detection much harder. The Harkonnen gang is professional that’s for sure!  

MS: Do you know if any of the ‘tier one commercial companies, government institutions, research laboratories and critical infrastructure facilities in the German speaking countries would be prepared to comment?

JG: I guess they will not, as is common in these scenarios. But they are investigating. I cannot comment on the steps being taken in this instance.

For more information, see Cybertinel’s website: http://cybertinel.com/

To help companies that think they may have been hit, Cybertinel has published a list of domains and IP addresses on its website that can be searched for in logs of firewalls, etc. See the following page: http://cybertinel.com/wp-content/uploads/2014/09/Appendix-1-HAZARDOUS-IP-AND-URL-%E2%80%93-HARKONNEN-OPERATION.pdf

In the Harkonnen attack, the Trojans allegedly disguised in the GFILTERSVC.EXE adware .exe were Trojan.win7.generic!bt and wmdmps32.exe, a variant of the Trojan family win64/agent.br (See the section  ‘Attack Details’ in Cybertinel’s ‘Special Report – ‘Harkonnen Operation’ Cyber-Espionage’).I asked IT Governance’s senior technical consultant, Geraint Williams, himself a qualified ethical hacker and CREST member, how the attack could have been sustained over so many years and how effective it was likely to have been, given the methods employed and the malware that was named in Cybertinel’s special report.

GW: An attacker will go through a number of phases when attacking a system; the first phase is reconnaissance where they discover details of the system and the organisation owning it. Looking for vulnerabilities that will give them access to the system.

The next phase will be to gain access through a variety of techniques including social engineering attacks to exploit vulnerabilities in users, systems or applications. One of the methods would be to use a Trojan. By definition, a pure Trojan is a way of dropping malware onto a PC by pretending to be something else. The Remote Access Trojan (RAT) can give full control of the PC to the attacker, ranging from taking screenshots to turning on the webcam and microphones.

After a successful attack the attacker will normally move to establish a more permeant access, typically a backdoor is established using either compromised credentials of an existing user or through the insertion of a remote access method that does not rely on the exploitation of vulnerability. – For example, the Microsoft RPC DCOM buffer overflow attack granted the attacker the ability to create a reverse shell which existed in memory, but if the machine was restarted the attack would have to be redone to gain access again. I have demonstrated this by compromising a machine using the RPC buffer overflow, brute forcing the admin password and then connecting remotely using the admin username and password.

Additionally, this second layer of attacks is often done using rootkits to hide the malware, and logs are edited to remove evidence of actions. Rootkits often manipulate the operating system so users, including those with administrator privileges cannot see running processes or changes to the operating system. Other protection techniques used by hackers include armouring the malware so it detects attempts to analysis it and adopts countermeasures to hide its purpose or remove itself from the system. Other techniques are to imitate existing files ensuring that malware matches the size, metadata such as Modification, Access and Change times (MAC) or ensuring signatures such as MD5 hashes correctly match legitimate files.

The world of the malware writer is full of terms such as wrapper, droppers and fuzzers, all techniques to create undetectable malware and get it on to the victims systems.

What Cybertinel claim has happened can occur; although what precise vectors were used in this case (e.g. rootkits) we are not in a position to say.

In short, compromising a machine is the first step, maintaining access is the next, and it is not unknown for attackers to remediate vulnerabilities to prevent other more careless attackers giving the game away.

If you are concerned about what malware can do and would like a health check to establish just how effective your systems are, this is definitely the right time to talk to the cyber experts – before you have something to regret!

Michael Shuff (25.09.2014)

As reported in this blog on 17/09/2014:

Israeli cyber-security firm Cybertinel announced in a press release that it was responsible for breaking the “Harkonnen Operation”, which attacked government servers, banks, and large corporations in Germany, Switzerland, and Austria, using over 800 phoney front companies — all with the same IP address — deploying unique malware to siphon secret and sensitive data off the servers.  The name ‘Harkonnen’ refers to a character in the cult science fiction novel, Dune, by Frank Herbert, which spawned several video games around 2003 when the malware first appeared. In the story, “He who controls the spice controls the universe”.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.