For a Cyber Superpower, Israel Is Surprisingly Vulnerable to Hackers

Israel’s reputation is the go-to country for all things cyber security, but companies, institutions, ordinary people struggle with daily attacks.

Alon Ron

I’ve known “D.” for years. He’s usually pretty laid-back, but in conversation a month ago, he sounded upset. “How do you know about that?” he barked at me. “Who told you? What do you know?”

All I’d done is ask if he knew anything about hacking attacks on Israeli companies engaged in foreign currency and binary options. Like his company.

Pressed to explain his obnoxiousness, D. apologized that mine was the third phone call he’d received on the subject that day – and these were doozies.

“Somebody with a Russian accent called me in the middle of the night and said he’d hacked into the company’s computers. Then one of my competitors called and said a rumor was circulating the market that my list of clients was for sale. Now you call and ask questions and I realize this is about to hit the newspapers.”

D. finally agreed to talk off-record, since, in his opinion, the greatest damage he could suffer wasn’t from hackers or the theft of his client list, or the ransom the hacker demanded he pay, but bad press.

D. runs a company that operates in forex and binary options outside Israel. It operates over the Internet. Investors can bet on the direction and intensity of a movement by financial assets, from currencies to commodities to indices, to the prices of popular shares such as Google or Apple.

A lot of Israelis are involved in this sort of activity: The country has 21 companies registered as “trade venues” with the Israel Securities Authority. Most operate mainly overseas and some only operate abroad, in order to dodge Israeli regulation. (The company may be registered in Israel, but in order to avoid having to comply with local regulation, they register – for instance – in Cyprus, place the servers – for example – in Gibraltar and block visitors from Israel; nor do they provide service in Hebrew.) 

Investing in binary options isn’t for people who love safe havens. It means to bet on the change in the direction of a currency, index or stock. You might bet that Samsung will end the day above a certain share price. If it does, you won an amount preset in advance. If it doesn’t, you lose everything you bet. You can invest in binary options through the bank but the chances are more akin to a scratch card lottery.

“As far as I know there have been attempts in recent days to hack into forex and binary option companies, maybe most of them,” D. says. The weapon was a Trojan horse.

Organized attack

“At first I thought the attack on us had been commissioned by a competitor. I still wonder if that’s so, but the fact that several companies were attacked at the same time bolsters the theory that the attack originated from an organized body, apparently Russian, which is targeting the whole industry,” D. says.

“They may have found a weak spot in one of the systems that a number of companies use and broke into everybody using that system, before the companies could share the information and close the entry point. We’re still looking into it.”

The hacker sent him screenshots of pages from the internal system, by Whatsapp, D. says – but the pages weren’t of customer management system. “Somehow he found my name and mobile phone number, and demanded money.” How much? 500 bitcoins – roughly equivalent to $150,000.

Insofar as he can tell, nothing was actually stolen. Other companies, he says, set up “response teams” consisting of external consultants, cyber experts, lawyers, and negotiators. He personally has no intention of paying, not the hacker and not tens of thousands of dollars a day to consultants.

Tens of thousands of dollars a day? “Yes. It isn’t crazy. Each one of those takes thousands of dollars a day for advising; within two days it costs more than the ransom demand. Just the lawyers run $2,000 a day because you need an expert on law in Cyprus, one on Israeli law, and one on the law of the country where the servers physically sit. I’m not going to get dragged into that vortex of spending, and I’m not going to go to the police.”

TheMarker: Why not? I’m no lawyer but what you tell me sounds like extortion under coercion. Don’t you actually have to go to the police? You’re serving tens of thousands of customers who deposited their money with you and your system has been penetrated. You don’t really know if they stole customer information.

“I don’t HAVE to do a thing,” D. says firmly. “I received an unambiguous legal opinion [about that]. What could the police do to help me? They know nothing and there’s nothing they could do. It would be a waste of my time.”

Sad to say, after a chat with the experts at the Israel Police about the wave of cyber attacks experienced by the finance-betting companies, D. seems to have a point.

The police, it turned out, didn’t even know about the wave of crime, possibly because none of the companies complained or maybe because the complaints were filed to different police stations but didn’t register as a wider problem. But even if they’d known, what could they do?

“We have noticed a trend of cyber attacks for profit in recent months,” a source near the police says.

“But not many companies have complained aside from ones who realized they’d been hacked by a worker or a former one, which is a pity. One can understand why companies forgo complaining lest anybody find out about the break-in, but it’s happening to a lot of big companies now and there’s no reason not to complain any more.”

And if somebody does complain, then what? Online attackers could be anywhere in the world, the source shrugs. The police would love to help but it’s not up against one guy or two. Fighting the forex hackers would be a vast mission with unlikely results. The Israeli police don’t have the manpower or the culture. There aren’t’ even any relevant laws in place.

Call the police?

TheMarker: You’re admitting that if somebody’s under cyber attack, and is even being extorted, there’s no point in calling the police.

“Not exactly. Although probably not much will happen with the individual case, it’s important for people to complain, so the police can collate information. That information can be handed on for investigation by international bodies like the FBI or NSA, then maybe something can be done.”

Meanwhile the police have decided they have to work with the private sector on this, not something the police do easily or well, says the source. Abroad cyber attacks get investigated by joint teams of the affected company with the FBI – “We need to learn how to do that.”

Police working with the finance gamblers? Lots of luck with that. Finance gamblers are probably the last people on earth to aspire to do things for the greater good of humanity. By their nature, forex companies take advantage of human weakness and greed to make money in a game in which the “house” always wins. It’s not the industry brimming with dewy-eyed volunteers who will help little old ladies and strain themselves for a cleaner digital world. That’s one thing.

Under the radar, please

Another is that many of these companies face bigger challenges and restrictions vis a vis the law and regulation, not only in respect to licensing but money-laundering and tax payments by their clients. Just a few months ago, trade in the London-listed Israeli startup P500 was halted because of a money-laundering issue. The value of its stock plunged. Apparently the last thing these companies want is to be on the radar of the FBI or NSA in any way whatsoever.

Also, if you’ve been hacked, pesky questions are bound to rise about how much you’ve been investing in protecting your clients’ information and money.

It’s embarrassing to see the agencies supposed to protect us do nothing, especially as we keep reading in the paper about Israel the cyber giant. Not a week passes without some startup nobody ever heard of raising untold millions; not a month without a cyber company being sold for hundreds of millions. We’re told Be’er Sheva is a hub and even Benjamin Netanyahu trots around the world selling the Israeli cyber story, with a wink at reports that we planted the deadly virus Stuxnet in the Iranian nuclear program.

But in the real world outside the high-tech bubble, life is duller and grayer.

A criminal lawyer asked why attacked companies don’t call the cops quickly diverted the conversation. “They don’t have a duty to report. But tell me, maybe you know a good company to store websites, somebody who knows how to protect against cyber attacks?” No, I said, why do you ask?

Like all lawyers, he has a site, he told me. “Something simple, with texts describing what the site does and who I am. There are no client lists. It’s important to me that the site appear high in Google search lists. Some weeks ago somebody hacked the server hosting my site and suddenly it started sending spam created on my computer. I’m afraid Google will blackball me.”

What he was suffering is a common form of cyber attack, I told him – taking control of a computer and using it to send ads, marketing emails and even to participate in cyber attacks. “Evidently your computer’s details are somewhere in the Dark Net. Anybody with who wants to can put down a little money and use your computer however they please. Somebody’s making money off it.”

But that wasn’t the whole story. Next he got an email asking for one bitcoin to make the hassle stop. He didn’t pay but he doesn’t know what to do, says our lawyer. The company storing his website says it isn’t its problem, ditto the Internet service vendor. “Isn’t there any supplier in Israel who can take responsibility for such things?”

Different hacks for different folks

Well, cyber attacks come in a wide variety, from hackers taking an ostensibly moral position (like outing Ashley Madison users) to thieves (of money, client lists etc); more commonly, DDoS, or distributed denial of service, attacks designed to shut down a targeted website. That’s the kind of attack usually perpetrated on government websites and the like. They may not actually damage the site but prevent it from being used. That’s a pain when it comes to a stock market website, for example. Other hackers simply block access to your own computer unless you pay them money. And that’s just the tip of the iceberg.

Even if one invests in protective systems, they’ll never be airtight. Today companies can buy hacking insurance – Bank Leumi for one admits that it recently spent millions of shekels on a policy. That’s not surprising, after workers of the Leumi Card group stole details of millions of cardholders and demanded ransom in the millions of euros to give the information back, a scandal now wending its way through the courts. Management had been terrified lest the public learn of the affair and start a run on the bank and even agreed to pay 50,000 shekels to the data thieves, one told TheMarker.

But the greater danger is takeovers of national systems like water or electricity systems, banks or security systems. It didn’t make the media but earlier this year, hackers tried to use “crypto-lockers” on systems of the national Israeli water company Mekorot – malware designed to lock a company’s files and only release them after ransom is paid.

In Mekorot’s case, the virus was identified early before it could lock anything, nor did ransom demand materialize. Mekorot also called in the Shin Bet cyber unit. There was reason to worry: Hackers accessing the company’s computers could for instance change the mix of chemicals in the nation’s water. Investigators suspect the crypto-lockers were a trial balloon ahead of a more serious break-in.

The public was not informed, which one can understand – mass panic could ensue; but it precludes greater public involvement in monitoring essential systems. But actually cyber attacks like this on Israel’s national infrastructure happen almost every day. Most are easily rebuffed.

Mekorot commented that it deals with cyber attacks on a daily basis, and says its people, trained by the best minds in the cyber world, work with the Shin Bet to proactively deter the hackers.

The affair of the finance companies isn’t of national importance, but sicknesses that start in the dubious domains of Internet, such as gambling, porn, games, illegal downloads and so on, tend to seep into the general public domain. If there’s a lesson in all this, it’s that we all need to stay vigilant. It will reach you.

Israel isn’t alone. In October the FBI warned about such attacks, notably crypto-lockers, and provided tips on how to respond. It naturally lists firewalls and anti-viruses, but also advises blocking pop-ups, and of course to be wary of suspicious emails, text messages and sites.

The FBI also helpfully points out that backing up one’s computer systems by definition frustrates crypto-lockers, since the computer can be cleaned and the files restored.