Analysis

Why Netanyahu Failed to Mention the Iranian Link to the Cyberattack on Israel

Experts are certain the attack came from OilRig, a hacker group funded by Iranian intelligence ■ Netanyahu has a target closer to home

A student uses his computer during a cyber defense programming class at Korea University in Seoul, South Korea, November 26, 2015.
A student uses his computer during a cyber defense programming class at Korea University in Seoul, South Korea, November 26, 2015. SeongJoon Cho/Bloomberg

Cybersecurity experts are convinced that Iran is behind the large-scale cyberattack revealed Wednesday by Israel’s Cyber Defense Authority. The attacks have been identified as being carried out by a hacker group known as OilRig, which has been tracked to Iran and is believed to be financed and directed by one of the Islamic Republic’s intelligence agencies.

OilRig’s first operations were detected at the end of 2015; it is known to have attacked in both government and private sector targets the past, focusing primarily on Saudi Arabia, Turkey, the United States and Israel.

The recent attacks were aimed at at least 120 Israeli targets, including private companies, government departments, research institutes and hospitals. In the first statement published by the cyber agency, they mistakenly claimed that the hackers used a tool originally developed by the U.S. National Security Agency and leaked online by a hacker group known as TheShadowBrokers in August 2016. However, the group exploited vulnerabilities in widely-used software – in this case Microsoft Word, first reported a few weeks ago – to obtain access to targeted computer networks. A wave of cyberattacks both by independent and state-sponsored hackers has used the tools since they were released online.

The malware was introduced to Israeli computer users, initially workers in companies providing computing services to other organizations, in phishing attacks. A virus was hidden in emails which included a fake security certificate of a known Israeli company providing ERP (enterprise resource planning) software. Once a number of these computers were breached, the hackers had access to client lists and the attacks spread from there.

Boaz Dolev, CEO of ClearSky, an Israeli cybersecurity company that warned early this year of OilRig attacks, says that the latest attempts against Israeli targets were “relatively well planned and took considerable resources. It is obvious that there was intelligence gathering prior to the attack and a careful selection of targets – in this case Israeli computing companies.” According to Dolev, another sign of the seriousness of the intrusion was the number of servers used by OilRig, which continued the attack after the first servers were detected and taken down.

The level of sophistication is relatively high, but not beyond the capabilities exhibited recently by Iranian state-sponsored hackers. It is unclear at this point whether the attack had any specific targets beyond creating damage in Israeli computer networks, and the extent of that damage is still being assessed. The first attacks were detected last week, both by in the private sector and by government security experts, and the local cyber community had been buzzing with the news for a few days before the cyber authority put out its announcement on Wednesday morning.

The warning of the attacks was unclassified and had originally been prepared on Monday. It could have been put out as a standard notification to the professional community of network managers and chief information officers, as was done many times in the past following similar attacks. For some reason, the Prime Minister's Office put out the latest notice to the general Israeli media as part of a press release, alongside interviews with senior officials of the Cyber Defense Authority.

OilRig is widely known to be a Iranian state-sponsored group, but surprisingly the Prime Minister’s Office this time made do with just a general assessment that the cyberattack was directed by a foreign state, without specifying which one. How did Prime Minister Benjamin Netanyahu’s office pass on such an easy opportunity to blame Iran for creating havoc around the world?

The only reason could be that the Prime Minister's Office has a more immediate target at home. Netanyahu has made the cyber issue one of his pet projects and the Knesset is due to pass a law establishing the various state authorities dealing with cybersecurity threats in the coming months. On Monday night, Channel 2 revealed a letter to Netanyahu signed by the heads of the security agencies, warning that the current draft of the bill “seeks to grant extensive powers to the Cyber Defense Authority, whose purpose has not been clearly defined, and it could seriously harm the core security activity of the security community in the cyber field."

Inter-departmental disputes over which government agency should receive the powers and resources to deal with the growing cyber threats have been going on for nearly a decade. Netanyahu’s decision to set up the cyber authority, which is supposed to coordinate the various agencies and notify organizations and companies under threat, within the Prime Minister’s Office, where there was no professional infrastructure and lots of intrigue, caused years of delays and political wrangling.

Over the last year or so, competent experts were finally hired and began working. The situation settled and cooperation has improved, but the new bill threatens that stability. Two days after the report on Channel 2, the decision to upgrade a routine technical warning to a nationwide press release puffing up the cyber authority's role is a sign that the lucrative cyber turf-war is heating up again.