‘The Iranians Are Waiting for the Israeli Response’: Who Is Behind the Latest Cyberattack on Israeli Firms?

Israel is in the midst of a massive cyberattack by an Iranian group calling itself Pay2Key. The experts who first discovered it share what they know – and explain why they’re concerned

Omer Benjakob
Omer Benjakob
Send in e-mailSend in e-mail
A screenshot of the Pay2Key Twitter account, in response to an Israeli cyberexpert warning that "Winter is Coming."
A screenshot of the Pay2Key Twitter account, in response to an Israeli cyberexpert warning that "Winter is Coming."Credit: Screenshot
Omer Benjakob
Omer Benjakob

Israel is under attack. Iranian-linked hackers have targeted at least 80 Israeli firms in what experts say is a form of ideologically driven cybercrime.

The attack, led by a group called Pay2Key, is the latest in a string of cybercampaigns against Israel. However, if recent attacks were indirectly linked to Iran and attributed to purely political motives, the latest one was deemed Iranian from the onset but is said to also have financial motives – further blurring the lines between hacktivism and cybercrime. 

“The Iranians are awaiting the Israeli response to escalate the attack,” said Omri Segev Moyal, CEO of the cybersecurity firm Profero. “The Iranian attack has been in the works for months, and is only growing and continuing to inflict damage on the Israeli market. Much like the tit-for-tat dynamic of war, this is a face-off between two states. The victims we know about are only the tip of the iceberg,” he tells Haaretz. “The Israeli economy is the home front in this war, and we need to defend it,” he added. 

“Winter is coming,” Segev Moyal tweeted in an attempt to warn others in Israel. But the Iranian hackers were also watching, and in a “homage” to the Israeli cybersecurity expert, Pay2Key changed its Twitter handle to “Winter is coming.” 

How COVID – and Israel’s Trump-brokered lovefest with Arab states – are affecting Palestinians

Subscribe
0:00
-- : --

As if to drive his point home, it also posted a Twitter poll insinuating that it had also managed to break into Israel Aerospace Industries, and the health and transportation ministries.

A screenshot of the PayKey poll asking which Israeli network is the most secure: Israel Aerospace Industries, or the health or transport ministries. Credit: Screenshot

“We cannot and should not underestimate them,” said Segev Moyal, adding that “most of the Israeli market is not ‘the Cyber Nation’ – everything from small towns to private firms and even infrastructure sites – and is not prepared to deal with such an attack.” 

But what do cyberexperts mean when they talk about ideologically driven cybercrime? We spoke to the team that first managed to locate Pay2Key and linked it back to Iran to try to understand.

Unskilled state or impressive criminals?

Pay2Key was discovered in November in a joint research project by two Israeli cybersecurity firms, Check Point and Whitestream. Initially, the group was thought to be another band of cybercriminals active in the field of ransomware, albeit a very advanced one.

Ransomware attacks tend to follow a similar pattern: a company is targeted, its files either stolen or encrypted, and they must then pay a ransom to have the information released. 

A screenshot of a warning by Israeli cyberexpert Omri Segev Moyal about the Iranian cyberattack.Credit: Screenshot

By following the money paid to the Pay2Key cybercriminals in Bitcoin, Whitestream managed to track the movement of the ransom payment across the so-called “blockchain” back to an Iranian cryptocurrency exchange.

“We followed the sequence of transactions, which began with the deposit of the ransom and ended at what appeared to be an Iranian cryptocurrency exchange named Excoino,” their report said, explaining that Excoino is an Iranian company that provides secure cryptocurrency transaction services for Iranian citizens.

However, even before linking it back to Iran, Check Point warned that the attackers had “advanced capabilities’’ not usually associated with cybercriminals, said Lotem Finkelstein, head of cyberintelligence at Check Point. For example, he noted that the attackers managed to take control “of the entire network within an hour,” whereas most criminal operations will “take a few hours if not days – say, the entire weekend.”

He added that unlike regular small-time criminal operations, Pay2Key was extremely patient, entering the system weeks if not months prior to the actual attack. By biding its time quietly, it managed both to enter the system unnoticed and to make the hack known only after the information had been stolen.

Finkelstein said the group was extremely careful to delete its tracks. The combination of the two is a new and impressive skill that has rarely been seen by run-of-the-mill cybercriminals.

“This is the type of skill we have only seen from the most skilled hackers in this business,” he said. “The fact that this operation also had what is termed ‘operational security’ (or OpSec) covering their tracks is impressive. The fact that this is a new group showing such skills is suspicious, because in what seems like a very short time, it managed to learn the business, make up for lost time and emerge as a serious player on par with teams with much more experience. It’s almost as if they didn’t need any practice, as if there’s simply no learning curve.”

However, Finkelstein noted that unlike an earlier attack this year which masqueraded as a ransom but was actually an offensive attack – possibly by the Iranian state itself – this attack did have financial motives.

A slide from a Check Point report on how bitcoin from a ransomware attack eventually made its way to Iran.Credit: Check Point

“They really do want the money,” he said. “In this sense, this was also a very strong ‘proof of concept’ for their skills, and there’s simply no obstacle to them now deploying the technology they used against anyone anywhere in the world.”

According to this thinking, Pay2Key is not necessarily a front for the Iranian state, but rather a hybrid of an ideologically motivated threat actor – or hacktivist – and cybercriminal using Israel to showcase its skills. 

“There are very classic motifs of cybercrime in this attack,” Finkelstein said. However, unlike regular ransomware crime, “we see they’re demanding relatively small amounts. While criminals usually ask for hundreds of thousands of dollars, if not millions, here it’s only a few tens of thousands. So on the other hand, this shows that alongside the financial motives, there’s an ideological aspect feeding into the economic one. The ideological side is the desire to inflict damage of some sort, and hacktivists do use cybercrime to serve their agenda while also making money off of it.”

He cites the famous case of a hacktivist called “VandaTheGod,” who targeted the Brazilian government after last year’s fires in the Amazon. 

Ideological crime

Whitestream CEO Itsik Levy says that as of now, about five victims have paid Pay2Key and it has received 8.6 bitcoin (about $130,000). “These too were sent to the exchange located in Tehran,” he said.

Images of the alleged transfer indicate that among the firms paying was a small Israeli law firm and a local energy firm.

“This is a team with very advanced and focused capabilities that we have seen active now for a number of months,” Levy said, adding: “The recent wave is undoubtedly a milestone that will bring about a change in the way information security is managed in Israel.

“My belief is that this needs to be treated as a terror attack on a national level,” he continued, and not a private matter, as ransomware attacks are usually handled. In fact, during the cyberattack on Shirbit insurance last month, which was deemed a form of political extortion, Israel’s National Cyber Directorate told Haaretz that its position on ransoms was that it was an internal issue for companies to decide on their own. 

“The firms attacked were attacked just because they’re Israeli, and for no other reason,” Levy said. “We’re seeing more and more ransom cases targeting massive organizations in the U.S. and Europe because the payout is huge,” he added, noting a recent case in which Russian hackers demanded electronics manufacturer Foxconn pay a ransom of $34 million. Here, he said, the low ransom sums, allied with the advanced technical skills, indicated “that for Pay2Key, the motivation is nationalistic.”

Reut Menashe, an expert in rapid response to cyberattacks, is slightly less impressed. She said that the exploit that may have been used is one that Israel has warned about in the past. “Is this something that only a nation could do? Not necessarily. An important skill you need is to know about the exploit and find the tool to use it, which is online,” she said.

Check Point’s Finkelstein agreed that this isn’t necessarily a state-run attack, but highlighted its unique nature. “When we talk about the best top-tier hackers, these are never criminals and almost always nation-state hackers. But these are also the ones you never hear about. We can only assume, for example, that Israel’s cyber units are hard at work – but you rarely hear about them.

“If we see a criminal hacker showing skills we’ve never seen before, that’s concerning either way,” he added. “We as researchers look for identifiers and if we see, for example, that this group has OpSec trying to hide its tracks – then this is concerning for us, as this is just not the type of thing you usually see with cybercrime and is usually more affiliated with nation-states.”

Comments