This post is also available in: עברית (Hebrew)
Security researchers have uncovered a group of hackers who broke into 300 banks, corporations and governments for 12 years without being caught.
The hacker collective from Germany exploited a loophole in the UK which enabled them to obtain security certificates to allow them to target organizations in Germany, Switzerland and Austria and access sensitive, confidential data.
The damage suffered by their victims in terms of loss of data and compromised security has been described by researchers as “immeasurable”, according to news.sky.
CyberTinel, the security company that blocked the attack, says the group were able to access bio-warfare plans. “We’re talking about things like studies on biological warfare and nuclear physics, infrastructure security plans, corporate financial documents,” said the CEO.
“They were after very specific items,” he added. “Their method of operation was to swoop in and get out very quickly in the hope that nobody would notice. It feels more like an organized crime operation than something a government would do.”
The company says it knows the identity of the group, which set up 883 front companies in the UK to take advantage of Britain’s tolerant requirements for obtaining SSL security certificates.
The certificates are small files that activate secure connections over the internet between web browsers and servers to authenticate and verify an organization’s details. With these certificates and an authentic corporate identity, the hackers camouflaged the attacks and were trusted by their victims, giving them control over the organization’s computers to ‘overhear’ their networks.
The operation behind the so-called Harkonnen Operation attack continued for so long, that cyber-security firms expect to discover companies in other European countries, including the UK, were also hacked.
“The damage to the organizations in terms of loss of valuable data, income or the exposure of information related to employees and customers is immeasurable,” said Elite Cyber Solutions chief executive Jonathan Gad.