EclecticIQ Threat Research Team
July 5, 2022

The Analyst Prompt #12: Harmony Blockchain Confirms Compromise and Theft of Approximately $100 Million USD

Blog

tap-12-2022

Exploit Tools and Targets: Harmony confirms blockchain compromise and theft of approximately $100 million USD

On June 23, 2022, Harmony was notified of an attack on its proprietary Horizon Ethereum Bridge. Eleven transactions extracted tokens stored in the bridge with an estimated value of approximately $100 million USD at the time of the attack. [1]

Harmony´s public disclosure suggests that the attacker or attackers were able to compromise two of the five private keys needed for signing transactions. A standard cryptocurrency wallet relies on a public address to receive digital assets, and a private key to authorize transactions. A multi-signature wallet (short multisig) requires two or more private keys for authorization; hence multiple parties share control.

Harmony believes that “the attacker was able to access and decrypt a number of these keys, including those used to sign the unauthorized transactions and take assets in the form of BUSB, USDC, ETH, and WBTC”. The attacker then changed assets to the Ethereum network.

On June 27th, the attacker started to anonymize ownership of these assets by moving funds through Tornado Cash, a crypto-mixing platform that improves transaction privacy by breaking the on-chain link between source and destination addresses.

Harmony is working with cyber security partners, exchange partners, and the FBI to investigate the breach and retrieve stolen assets. The company offered a $1M reward for the return of Horizon bridge funds o for sharing information about the exploit. [2]. On June 29th, the company increased the reward to $10 million with a deadline of July 4th at 23:00 GMT. It also announced a $10 million reward for offering information leading to the return of stolen funds.

Harmony updated its co-signing process to now require four of the five keys. EclecticIQ analysts highlight that the root cause for the compromise of the private keys is unknown. Hence, increasing the number of keys required to sign transactions may be of limited value, if there is a common point of failure between all of them.

Threat Actors: Denial of Service Attacks by Pro-Russian Group KILLNET Temporarily Disrupts Lithuanian Internet Services

The Lithuanian National Cyber Security Centre (NCSC) warned on June 21st, of an ongoing Distributed Denial of Service (DDoS) attack against the Secure National Data Transfer Network, other governmental institutions, and private companies of Lithuania. [3]

Pro-Russian group KILLNET said the attacks were in retaliation for Lithuania's ban of EU-sanctioned goods coming from Russia across its territory to the Russian exclave of Kaliningrad. [4] The ban took effect on June 18th.

In its response, Russia called the ban an “unprecedented” and “hostile” act. Russia’s Foreign Minister Nikolai Patrushev issued a statement Tuesday, June 21st stating “if in the near future cargo transit between the Kaliningrad region and the rest of the territory of the Russian Federation through Lithuania is not restored in full, then Russia reserves the right to take actions to protect its national interests.” [5], [6] On June 20th, in its Telegram group KILLNET called for support “in the destruction of Lithuania’s network infrastructure”. In the following days, the group posted multiple screenshots of Lithuanian services in the energy, finance, and transportation sectors been taken offline. European and Russian diplomats seem to be closing in on a compromise that would exempt Kaliningrad from sanctions. [7] As of June 29th, the group did not post news messages about Lithuanian targets and appears to have stopped its attacks. In a late June update, NKSC announced that the Secure National Data Transfer Network services have been restored. Analysts assess that KILLNET possesses the capabilities to successfully conduct DDoS attacks or website defacements and to temporarily interrupt targeted businesses. As seen with recent cases in Lithuania, or attacks on Polish [8] and Italian [9] organizations, the group can swiftly bundle its resources and execute in alignment with Russian state objectives. Analysts have no evidence that the group is using or developing custom tools, but likely works with off-the-shelf products.

Malware: Samurai Backdoor and Ninja Trojan Deployed in Attacks Against Southeast Asian and European Governmental and Military Organizations

According to an online article dated June 21, security researchers with Kaspersky's Global Research & Analysis Team (GReAT) identified two previously unknown malware dubbed Samurai backdoor and Ninja Trojan. [10]

Between December 2020 and February 2021, an APT - dubbed ToddyCat - exclusively targeted Microsoft Exchange Servers in Taiwan and Vietnam. Leveraging an unknown exploit, the actor deployed the China Chopper web shell. The intrusion shared by GReAT resembles an activity cluster (dubbed Websiic) reported by ESET in March 2021. As of February 26, 2021, ToddyCat exploited the ProxyLogon vulnerability to compromise organizations in Europe and Asia.

In both waves, the attacker deployed a formerly unknown modular backdoor dubbed Samurai. Samurai is written in C# and is highly obfuscated to hinder reverse engineering. The backdoor acts as a listener to incoming requests from an attacker-controlled system.

In specific instances, Samurai also dropped another malware, Ninja. GReaAT believes that Ninja is “a collaborative tool allowing multiple operators to work on the same machine simultaneously.” The Trojan a multitude of commands to infiltrate and control remote systems and evade detection.

GReAT reports that the actor exploited an unknown Microsoft Exchange server vulnerability since at least December 2020. EclecticIQ analysts hypothesize that the actor had been leveraging a 0-day vulnerability, which in March 2021 would be publicly disclosed as ProxyLogon.

About EclecticIQ Threat Research

EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com or fill in the EclecticIQ Audience Interest Survey to drive our research towards your priority area.

Structured Data

Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack.

TAXII v1 Discovery services: https://cti.eclecticiq.com/taxii/discovery

You may also download the content as eiq_json, stix1_2, stix2_1.

Please refer to our support page for guidance on how to access the feeds.

Appendix

  1. M. Barrett, “Harmony’s Horizon Bridge Hack,” Harmony, Jun. 28, 2022. https://medium.com/harmony-one/harmonys-horizon-bridge-hack-1e8d283b6d66 (accessed Jun. 29, 2022).
  2. Harmony [@harmonyprotocol], “We commit to a $1M bounty for the return of Horizon bridge funds and sharing exploit information. Contact us at whitehat@harmony.one or ETH address 0xd6ddd996b2d5b7db22306654fd548ba2a58693ac. Harmony will advocate for no criminal charges when funds are returned.,” Twitter, Jun. 26, 2022. https://twitter.com/harmonyprotocol/status/1540904433525088256 (accessed Jun. 29, 2022).
  3. “Intense DDoS attacks targeted several companies and institutions in Lithuania.” https://lrv.lt/en/news/intense-ddos-attacks-targeted-several-companies-and-institutions-in-lithuania (accessed Jun. 28, 2022).
  4. A. Sytas, “Kaliningrad sanctions to take effect, Lithuania says,” Reuters, Jun. 18, 2022. Accessed: Jun. 28, 2022. [Online]. Available: https://www.reuters.com/world/europe/lithuania-says-sanctions-goods-kaliningrad-take-effect-saturday-2022-06-18/
  5. “Kaliningrad: Russia warns Lithuania of consequences over rail transit sanctions,” BBC News, Jun. 21, 2022. Accessed: Jun. 28, 2022. [Online]. Available: https://www.bbc.com/news/world-europe-61878929
  6. “Патрушев пообещал Литве скорый ответ на транспортную ‘блокаду’ Калининградской области,” Interfax.ru. https://www.interfax.ru/russia/847235 (accessed Jun. 28, 2022).
  7. A. Sytas and J. O’Donnell, “Exclusive: EU nears compromise deal to defuse standoff with Russia over Kaliningrad,” Reuters, Jun. 30, 2022. Accessed: Jun. 30, 2022. [Online]. Available: https://www.reuters.com/world/europe/exclusive-kaliningrad-row-eu-nears-compromise-deal-defuse-standoff-with-russia-2022-06-29/
  8. “Killnet DDoS Attack Impacting PKN Orlen Refinery, Poland,” Atlas News, Jun. 17, 2022. https://theatlasnews.co/2022/06/17/killnet-ddos-attack-impacting-pkn-orlen-refinery-poland/ (accessed Jun. 30, 2022).
  9. alessandro.brucato, “Killnet cyber attacks against Italy and NATO countries,” Sysdig, May 18, 2022. https://sysdig.com/blog/killnet-italy-and-nato/ (accessed Jun. 30, 2022).
  10. “ToddyCat: Unveiling an unknown APT actor attacking high-profile entities in Europe and Asia.” https://securelist.com/toddycat/106799/ (accessed Jun. 28, 2022).

Talk to one of our experts

Protect your organization with cutting-edge threat intelligence. Book your free demo today and explore how our products and services can help you meet your security needs.
Book a call
cta-footer
Book a demo