Analyst Call # 12: Harmony Blockchain Confirms Compromise and Theft of Approximately $ 100 Million USD

Leverage tools and goals: Harmony confirms blockchain compromise and theft of approximately $ 100 million USD

On June 23, 2022, Harmony was notified of an attack on its proprietary Horizon Ethereum Bridge. Eleven transactions retrieved tokens stored in the bridge with an estimated value of approximately $ 100 million USD at the time of the attack. [1]

Harmony’s public disclosure suggests that the attacker or attackers were able to compromise two of the five private keys needed to sign transactions. A standard cryptocurrency wallet relies on a public address to receive digital assets, and a private key to authorize transactions. A multisignature wallet (short multisig) requires two or more private keys for authorization; therefore, several parties share control.

Harmony believes that “the attacker was able to access and decrypt a number of these keys, including those used to sign the unauthorized transactions and take assets in the form of BUSB, USDC, ETH and WBTC”. The attacker then changed assets to the Ethereum network.

On June 27, the attacker began anonymizing the ownership of these assets by moving funds through Tornado Cash, a crypto-mixing platform that improves transaction privacy by breaking the chain between source and destination addresses.

Harmony is collaborating with cybersecurity partners, exchange partners and the FBI to investigate the breach and recover stolen assets. The company offered a $ 1 million reward for repaying Horizon Bridge funds for sharing information about the exploitation. [2]. On June 29, the company increased the reward to $ 10 million with a deadline of July 4 at. 23:00 GMT. It also announced a $ 10 million reward for providing information leading to the return of stolen funds.

Harmony updated its co-signing process to require four of the five keys. EclecticIQ analysts point out that the root cause of the compromise of the private keys is unknown. Therefore, increasing the number of keys required to sign transactions may be of limited value, if there is a common mistake between them all.

Threats: denial of service attacks by pro-Russian group KILLNET temporarily disrupts Lithuanian Internet services

The Lithuanian National Cyber ​​Security Center (NKSC) warned (insert date) of an ongoing Distributed Denial of Service (DDoS) attack on the Secure National Data Transfer Network, other state institutions and private companies in Lithuania. [3]

The pro-Russian group KILLNET said the attacks were in retaliation for Lithuania’s ban on EU – sanctioned goods coming from Russia across its territory to the Russian exclave of Kaliningrad. [4] The ban took effect on June 18.

In its response, Russia called the ban a “unique” and “hostile” act. Russia’s Foreign Minister Nikolai Patrushev issued a statement on Tuesday (June 21st) stating that “if in the near future freight transport between the Kaliningrad region and the rest of the territory of the Russian Federation through Lithuania is not fully restored, Russia reserves the right to take action to protect their national interests. ” [5], [6] On June 20, KILLNET in the Telegram group asked for support “in the destruction of Lithuania’s network infrastructure”. During the following days, the group posted several screenshots of Lithuanian services in the energy, finance and transport sectors that were taken offline. European and Russian diplomats appear to be approaching a compromise that will free Kaliningrad from sanctions. [7] As of June 29, the group did not post news reports on Lithuanian targets and appears to have stopped its attacks. In an update in late June, NKSC announced that the Secure National Data Transfer Network services have been restored. Analysts believe that KILLNET has the capabilities to successfully execute DDoS attacks or destroy websites and temporarily suspend targeted businesses. As seen with recent cases in Lithuania, or attacks in Polish [8] and Italian [9] organizations, the group can quickly gather its resources and perform in accordance with Russian state goals. Analysts have no evidence that the group uses or develops custom tools, but probably works with off-the-shelf products.

Malware: Samurai Backdoor and Ninja Trojan deployed in attacks on Southeast Asian and European government and military organizations

According to an online article dated (insert date), security researchers with Kaspersky’s Global Research & Analysis Team (GReAT) identified two previously unknown malware called Samurai backdoor and Ninja Trojan. [10]

Between December 2020 and February 2021, an APT – called ToddyCat – targeted exclusively Microsoft Exchange servers in Taiwan and Vietnam. By exploiting an unknown exploit, the actor distributed the China Chopper shell. The intrusion shared by GReAT is similar to an activity cluster (called Websiic) reported by ESET in March 2021. From 26 February 2021, ToddyCat exploited the ProxyLogon vulnerability to compromise organizations in Europe and Asia.

In both waves, the attacker put a previously unknown modular back door called the Samurai. Samurai is written in C # and is very veiled to prevent reverse engineering. The back door acts as a listener to incoming requests from an attacker-controlled system.

In specific cases, Samurai also dropped another malicious software, Ninja. GReaAT believes that Ninja is “a collaborative tool that allows multiple operators to work on the same machine at the same time.” The Trojan issues a series of commands to infiltrate and control remote systems and avoid detection.

GReAT reports that the player has been exploiting an unknown Microsoft Exchange server vulnerability since at least December 2020. EclecticIQ analysts assume that the player had exploited a 0-day vulnerability, which in March 2021 would be published as ProxyLogon.

About EclecticIQ Threat Research

EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. The EclecticIQ Threat Research team is headquartered in Amsterdam and consists of experts from Europe and the United States with decades of experience in cybersecurity and intelligence in industry and government.

We would love to hear from you. Send us your feedback by sending us an email at [email protected] or fill out EclecticIQ audience interest survey to drive our research towards your priority area.

Structured data

Find Analyst Prompt and previous editions in our public TAXII collection for easy use in your security stack.

TAXII v1 Discovery Services:

You can also download the content as eiq_json, stix1_2, stix2_1.

Please see our support page for instructions on how to access the feeds.

appendix

1. M. Barrett, “Harmony’s Horizon Bridge Hack,” Harmony, June 28, 2022. June 29, 2022).
2. Harmony [@harmonyprotocol]”We are committed to a $ 1 million bounty for the refund of Horizon Bridge funds and the sharing of utilization information. Contact us at [email protected] or ETH address 0xd6ddd996b2d5b7db22306654fd548ba2a58693ac. Harmony will not prosecute any criminal charges when funds are returned. ” Twitter, June 26, 2022. (opened June 29, 2022).
3. “Intense DDoS attacks targeting several companies and institutions in Lithuania.” (opened June 28, 2022).
4. A. Sytas, «Kaliningrad sanctions will take effect, Lithuania says», Reuters, 18 June 2022. Access: 28 June 2022. [Online]. Available:
5. “Kaliningrad: Russia warns Lithuania about the consequences of sanctions on rail transport,” BBC News, 21 June 2022. Access: 28 June 2022. [Online]. Available:
6. “Patrushev announces the release of a scorching obituary on the transport ‘Kaliningrad’ Kaliningrad oblast,” Interfax.ru. (opened June 28, 2022).
7. A. Sytas and J. O’Donnell, “Exclusive: EU Approaches Compromise Agreement to Defuse Standoff with Russia over Kaliningrad,” Reuters, June 30, 2022. Access: June 30, 2022. [Online]. Available:
8. “Killnet DDoS Attack Impacting PKN Orlen Refinery, Poland,” Atlas News, June 17, 2022. (opened June 30, 2022).
9. alessandro.brucato, “Killnet Cyber ​​Attacks on Italy and NATO Countries”, Sysdig, 18 May 2022. (opened June 30, 2022).
10. “ToddyCat: Unveiling of an unknown APT actor attacking high-profile devices in Europe and Asia.” (opened June 28, 2022).