In real espionage you set up a shell company and you make everything look as if it is legitimate - this is important because you don't alert any suspicion straight from the beginning
these attackers spent an enormous lot of money - maybe the result of their first penetrations - to set up real companies on paper and get the paperwork done to look as if it is real. Remember this operation has been going on since 2002 and has only been discovered in august 2014 (so 300 companies and networks have a maximum of 12 years of penetration through a digital beachhead)
other attackers are still too stupid to spend some cash on hiding themselves more professionally but this could change because if you could hide your operations for years by setting up shells - than the Return on Investment is really Worth it
"Unusually for a targeted attack campaign, the group behind Harkonnen chose not to send the exfiltrated data to a hijacked domain, but instead spent $150,000 setting up legitimately registered companies with legitimate domains and certificates in the UK – making it much harder to detect.
“If they would have hijacked legitimate hosts they would have risked detection much earlier, which would have put their entire attack business at risk,” explained Jonathan Gad of Cybertinel partner Elite Cyber Solutions.
“Remember, technically, the infrastructure was completely real. You could look up the companies at Companies House, or the domains etc, and see a real entity with an address and phone number. These hackers were long-term serious hackers, so they made long-term serious investments which look like they paid off.”
Gad told Infosecurity that the lack of checks made on companies registering domains in the UK helped the gang get away with their campaign for so long.
For example, many of the 833 ‘companies’ were registered with the same physical address in Wakefield but with the same phone number, a German number.
In addition many were closed a few months after opening but the certs were renewed annually.
“It does seem that better checks could be done on company registration/cert buying etc to avoid this kind of scam. In other countries a range of additional checks are done when buying certs, so the UK could include some of these too,” Gad argued
off course this makes any company in the UK now look suspicious if it doesn't have enough credentials already - and the UK is not the only one thinking about companies in Russia and China which are spyridden or offshore companies in which you will never know who is behind them
that is also why real business buy businessinformation and analyses before getting into business with a business and maybe this will be a new 'dataleakage' protection service (checking on the business you are sending certain kinds of information) It can also be a blacklist or a list with indicators based upon administrative and business data (turnover for example, number of clients, etc....)
more information can be found here
Click to view the ‘Harkonnen Operation’ report.
Click here for a list of hazardous addresses.