Israel Foiled Cyberattack by Foreign Country Against Defense Industry Firm, Ministry Says

It is suspected that the attempted cyberattack was carried out by an international cyber alliance known as Lazarus, Defense Ministry says

Yaniv Kubovich
Send in e-mailSend in e-mail
Send in e-mailSend in e-mail
The Defense Ministry in Tel Aviv
The Defense Ministry in Tel AvivCredit: Moti Milrod
Yaniv Kubovich

The Director of Security of the Defense Establishment, along with other security agencies, prevented a cyberattack by a foreign country against “leading defense industries” in Israel, the Defense Ministry announced on Wednesday.

The attackers approached employees of the defense industries with job offers through LinkedIn in an attempt to penetrate the companies’ computer networks, the statement said.

The attack was stopped in “real time and without causing damage,” according to the Defense Ministry.

The attempted cyberattack is suspected to have been carried out by an international cyber alliance known as Lazarus. They constructed fake profiles on social media and impersonated managers and representatives of international corporations. They even used websites of other companies without their knowledge, said the ministry.

The attack was first reported by the ESET cyber security company in June. The original report mentioned an espionage attempt directed at companies in Europe and the Middle East, but Israeli companies were not mentioned at the time. In March 2019, the Israeli firm ClearSky revealed an attempt to penetrate an Israeli defense company attributed to Lazarus.

The ESET report states that in the operation exposed in June, known as  "In(ter)ception", Lazarus used LinkedIn for its preliminary contacts with the victims in the target organizations – including defense companies and military units. At first, the attackers constructed fake profiles seemingly connected to defense companies. Later they approached people in an attempt to “recruit them for jobs.” The fake profiles were linked to real companies, such as Collins Aerospace Systems.

In the next stage, the fake profiles were supposed to send the prospective employees a file with their job description and salary offer. A victim who clicked on the file would receive the fake offer in a PDF file that opened in their default browser. This then planted a program that enabled the attackers to take control of the computer and penetrate other networks inside the organization.

The attackers used open source software tools along with Lazarus’ own code. The groups also used a technique called “Live Off the Land,” using internal system tools of the operating system to steal information and control the computers. 

In May, Israeli cybersecurity chief Yigal Unna said that the country thwarted a major cyberattack in April against its water systems, which could have caussed massive damage. The National Cyber Directorate released a short statement on the attempted attack, which was attributed by foreign sources to Iran.  

A Western intelligence source told the Financial Times that the attack, if successful, could have left tens of thousands without water, including farmers, and, at worst, hundreds of people could have fallen seriously ill.

“If the bad guys had succeeded in their plot we would now be facing, in the middle of the coronavirus crisis, very big damage to the civilian population and a lack of water and even worse than that," Unna said, and warned: "Cyber winter is coming and coming even faster than I suspected."

The Washington Post reported that month that Israel was behind a cyberattack on Iran's Shahid Rajaee port. According to the report, The attack took place on May 9, and caused  massive backups on waterways and roads leading to the port, disrupting the port's traffic for a few days. 

Citing unnamed U.S. and foreign government officials, the Post said the May 9 disruption of Iranian computers was presumably in retaliation for April's attempted cyberattack on rural water distribution systems in Israel. The Israeli Embassy in Washington did not respond to the report.