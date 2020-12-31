The Computer Emergency Response Team, a key component of Israel’s wider cyberauthority, has been extremely busy in recent weeks battling a clutch of attacks that have ended a year seeing a spike in cybercrime around the world.

The team, also known by its initials, CERT, is tasked with handling “cyber incidents in the civilian cyber sphere.” According to the government’s website, CERT “receives and handles hundreds of reports and information about cyber-attack attempts or threats, from local and international partners, on a daily basis.”



In fact, in an ominous end-of-the-year letter to the public Wednesday, the head of the wider National Cyber Directorate cited a 30 percent increase in the number of emergency calls about suspected cyberattacks. The end-of-year numbers provide a glimpse into the challenge: In 2020, the directorate investigated 16,000 specific attacks or attempted attacks against around 1,400 organizations.

“These are challenging days for anyone who deals with defensive cyber. We are alert and prepared – as is required by everyone in this business and is needed from all organizations and even citizens,” the cyberauthority wrote, adding that “these challenges also provide an opportunity to help increase awareness and improve our general level of preparedness.”

CERT operates out of a large center in Be’er Sheba that runs around the clock, providing both what it terms preventive measures and a rapid response to cyberincidents. Though every country has some form of a CERT, the Israeli model, the directorate claims, is unique because not only does it offer help to private firms facing cyberattacks, it has units for different sectors – finance, energy, public security and government.

It also operates what it calls a “proactive” research center that seeks out vulnerabilities before they’re exploited and even has a hotline where anyone can call in to report a cyberattack.



The head of this emergency response operation is Erez Tidhar. Tidhar, 45, has worked at the National Cyber Directorate for five years. Tidhar, a certified chief information security officer who lives in the south, says “cyberattacks or attempted attacks are part of our day-to-day.”

Though much of the cyberauthorities’ activities are conducted in the shadows, Tidhar agreed to answer a few questions from Haaretz about events in Israel and around the world.



“In recent months, we’ve seen increased attempts, but these are attacks of different types and it’s not the same attackers, methods, technologies – or even the same targets,” he says.

I asked Tidhar about how the recent wave of cyberincidents in Israel connects with the cyberespionage campaign attributed to Russia that penetrated U.S. government agencies by hacking the SolarWinds software used by thousands of organizations.



Regarding the so-called FireEye hack – the California-based cybersecurity firm itself was hacked – Tidhar says this was part of a wider trend that has led to an uptick in reporting that may not necessarily indicate a surge.



“We’ve seen a collection of events in Israel and around the world that didn’t necessarily happen this month but may have actually begun much earlier,” he says. “So, for example, the attack on FireEye in the U.S. got many organizations looking proactively for the clues and indicators [linked to the attack], and thus additional cases were found and also revealed other exploits and vulnerabilities that needed immediate attention.”

Open gallery view A member of the hacking group Red Hacker Alliance, who declined to give his real name, using a website that monitors global cyberattacks. Credit: Nicolas Asfouri / AFP

The hackers’ motives

Another example, from Israel, is the ongoing foray by the Iranian Pay2Key hacking group that, though initially detected in November, has in recent weeks raised its head again. These attacks may actually be older than initially thought, with the hackers only now revealing which organizations were hit.



CERT shares information with other agencies and firms active in this arena, but Tidhar notes that despite the best efforts by the community, “the attacks are further buoyed by the sense of success. When hackers see how much attention an attack by another team has gotten, that atmosphere spurs on others too as part of the competition between different hacker groups.”

The high-profile attacks that Israel has faced in recent months have straddled the private and government sectors. In the cyberworld, attackers are usually either states, private criminals after money, or so-called hacktivists with political goals – if not offensive and counterintelligence goals.



A concerning trend of the past year has been attacks that may seem financial or criminal but are actually ideological if not outright cyberwarfare or espionage – as was the case with the so-called MuddyWater attack attributed to Iran in September.



The most famous case in recent months was the attack on Israel’s Shirbit insurance company, which was hacked in what seemed like a classic case of data extortion but turned out to be ideologically driven – or at least there was no pure financial motive. Pay2Key is another example of an ideologically motivated cybercampaign.

Tidhar is cautious. His department deals only with attacks on private entities, and any attempt to hit state targets – like Pay2Key’s purported hacking into Israel’s biggest defense contractor, Israel Aerospace Industries – moves the case to the Defense Ministry for handling.

Regarding shifts in cybercrime, Tidhar says this “isn’t really a new trend. We’ve seen ransom and extortion attacks spill over into each other in recent years. This year we’ve had about two or three events like these a week reported to us – and there were others that weren’t reported.”



Still, Tidhar notes a shift in this arena that has taken the attacks out into the open. “We’re seeing a global trend in which the ransom demands are becoming more aggressive and brazen – with the clear intent of inspiring panic and fear. Just recently, we saw an attack on a company in South America in which the ransom note was printed on its organization’s printers that hackers had managed to take control of.”

This very public trend, he says, is joined by another change: “Another recent trend is the attempt by hackers to maximize opportunities. Initially hackers will cast a very wide net against a large number of organizations and will then pick the big fish out of those it managed to capture and will act against them only.”



Structural tension

As Tidhar puts it, “There is an attempt to hit a certain supplier – or target the weakest link in a supply chain – and through it the clients are targeted. We identified this initially when they hit the Israeli company with the intent to reach others, and we worked with [the company’s] clients to try to make sure they were immune to the attack before it could actually lead to any damage.”

Tidhar won’t elaborate on which incursion was thwarted, but he’s most likely referring to the attack on Israeli company Amital Data, whose Unifreight software was targeted and may have exposed up to 40 different companies.

When asked about the difference between the attack on Shirbit and the thwarted attack, Tidhar says “Shirbit was the end point of the attack – they broke into that specific company and targeted its system – and it’s very likely that it was actually Shirbit they were after. In the second event, the one that was thwarted, the attackers found a back door that would allow them access to others.”

There is a certain structural tension in Tidhar’s work. He’s supposed to help private entities and protect the Israeli market from attacks, yet many of these forays are geopolitically motivated.

When asked if he’s concerned that private companies become national targets, he said, “There have always attempts made against the Israeli cyber space for many years now, and there is simply no doubt that everyone is a target – from citizens, to small business, to large bodies and even governmental offices and organizations.”

But he notes, “It’s important to remember: There are organizations that are specifically targeted and there are those that fall prey to a random attack. Everyone needs to be prepared, but if an attacker sees an open window and just enters it randomly, they’ll still try to find something of value.

“Sometimes organizations are hacked and attackers will look for something of value to steal or sell. Even a burglar who usually breaks into mansions will enter a small house if the window is left open. But sometimes organizations are specifically targeted and a lot of preparation work goes into the operation.”

As Tidhar puts it, “Everyone needs to minimize their exposure and use data security specialists – and Israel has been blessed with a very good cyberindustry and talented cyberexperts.”