Sky News – Wed, Sep 17, 2014
Security researchers have uncovered a group of hackers that broke into 300 banks, corporations and governments for 12 years without being caught.The hacker collective from Germany exploited a loophole in the UK which enabled them to obtain security certificates to allow them to target organisations in Germany, Switzerland and Austria and access sensitive, confidential data.
The damage suffered by their victims in terms of loss of data and compromised security has been described by researchers as "immeasurable".
"We're talking about things like studies on biological warfare and nuclear physics, infrastructure security plans, corporate financial documents," said Kobi Ben-Naim from CyberTinel, the security company that blocked the attack.
"They were after very specific items," he added. "Their method of operation was to swoop in and get out very quickly in the hope that nobody would notice. It feels more like an organised crime operation than something a government would do."
CyberTinel says it knows the identity of the group, which set up 883 front companies in the UK to take advantage of Britain's tolerant requirements for obtaining SSL security certificates.
UK internet regulators apparently failed to notice that each company had the same IP address and contact information.
The certificates are small files that activate secure connections over the internet between web browsers and servers to authenticate and verify an organisation's details.
With these certificates and an authentic corporate identity, the hackers camouflaged the attacks and were trusted by their victims, giving them control over the organisation's computers to eavesdrop on their networks.
The operation behind the so-called Harkonnen Operation attack continued for so long that cyber-security firms expect to discover companies in other European countries, including the UK, were also hacked.
"The damage to the organisations in terms of loss of valuable data, income or the exposure of information related to employees and customers is immeasurable," said Elite Cyber Solutions chief executive Jonathan Gad.read more: