While the investigation into the ransomware attack on Shirbit continues, the insurance company is portraying itself as a warrior on the cyberspace frontline, protecting the country's honor. In the attack a few weeks ago, hackers stole data on Shirbit's clients, and the company refused to pay a ransom to recover it.
Contrary to the company's posture, the data hack could in reality compromise national security and endanger the lives of workers in some of the country's most covert organizations.
The hack has since been joined by a string of others, most prominently the Pay2Key attack - attributed to Iranian cybercriminals - which hit at least 80 Israeli companies and has claimed to have also targeted Israeli ministries and even a military defense firm.
The Shirbit attack - as well as subsequent ones - highlight the growing national security risk that purported incidents of cybercrime now post. It also underscores how ill prepared the Israeli state is to deal with this threat. In fact, it is at times negligence on the part of the state that makes the risks of such attacks that much more severe.
When cybersecurity investigator Amitai Dan examined the Shirtbit affair he discovered a number of concerning signs at the state level - for example, the documents taken from the insurance firm were, as he puts it, a jackpot for foreign intelligence services who may want to spy on Israel’s most sensitive organizations. The hacked data, he claims, could help provide Iran, for example, with the intelligence required to take revenge for the assassination of nuclear scientist Mohsen Fakhrizadeh.
Shirbit and Harel won the 2021 tender for insuring the state’s cars and according to reports it is supposed to insure about 65 percent of the 60,000 cars used by state employees – close to 40,000 cars. On winning the tender, Shirbit received from the state an updated file of the state employees’ who owned these cars. The company was required to ask the car owners for the remaining details. But the file didn’t only have details from the state but documents from the previous insurance companies which had won the bid in the recent year and were obliged to pass them on to the new insurer.
According to the tender specifications laid out by the state, the company is obliged to gather information such as the employee’s name, phone number, email address and ID number, as well as car license number, model type and the year it was first used. The forms also consist of other information like the employees’ addresses, although the latter are not obligated to provide them.
- Iranian hackers hit 80 Israeli firms as massive cyberattack continues
- ‘The Iranians are waiting for the Israeli response’: Who is behind the latest cyberattack on Israeli firms?
- Who's behind massive cyberattack on Israeli insurance firm – and why it should worry
“The security establishment has methods of dealing with such cases,” a security official told Haaretz, but did not provide additional details.
The extent of the data stolen from Shirbit and what it pertains to is not clear yet. However, when TheMarker reporter Rotem Starkman spoke to Shirbit, pretending to be a potential client, one telephonist tried to calm him down.
“Did they steal addresses?” Starkman asked.
“Addresses and things like that, but not credit (card numbers,) it was more state employees’ car licenses. You’re a private client and they didn’t steal anything from (data belonging to) private clients.”
This is exactly the problem. “A potential buyer can channel the data obtained by the hack into various attacks against all the state employees whose details had been exposed, including employees in sensitive sites,” says Dan. “This could be reflected in breaking into cars to gather intelligence, gaining access into emails under the guise of other employees in their organization, hacking into mobile phones, tracing phones and tracing state employees in foreign countries.”
“Clearly, if the attackers can lay hands on the address and car license of a specific employee in a sensitive organization, they could also reach him physically and carry out more extreme acts, such as abduction or assassination,” says Dan.
Anyone who could get hold of the employees’ telephones numbers in various organizations could send them text messages under the guise of someone within the organization. This is because in Israel there are no protection measures from text messages and phone calls made from fake numbers. This is what happened a few weeks ago when crooks sent people messages purportedly from Bezeq, Israel’s largest telecom providers. With more legislation, these messages could have not appeared as authentic messages from Bezeq.
The problems in the tender were not limited to information the insurance companies receive and share, thus showing how widespread the underlying issues originating with the state are. “Apparently the state issued a car tender without a clear obligation to secure the databases,” says Dan.
Indeed, in all 78 pages of the tender there is only one mention of data security, and it pertains to passing information between the companies and the Finance Ministry. On page 72, which details the structure of the files to be passed in the new system, it says: “The files from the insurance companies will be transferred in safes.”
The Finance Ministry said the company wouldn’t have fulfilled the criteria for the tender had it complied with the requirements, but stresses that “the tender winners are subject to all the oversight of the Capital Market Authority’s regulations, including for cyber threats. Also, the tender consists of clauses dealing with privacy protection, supervision and monitoring.”
Attorney Haim Ravia, head of the cyber team at the international law firm Pearl Cohen Zedek Latzer Baratz, says “if the state thought Shirbit would have sensitive information, or information that could be used to identify state employees in sensitive positions, it should have given it some thought and not settle for the generic requirements made in the contract, it should also have carried out inspections. I assume the tender drafters didn’t consider this to be a real issue at all.”
Most of the state’s tenders reflect ignorance, or at least lack of thorough thinking, when it comes to issues of privacy in general and data security in particular. The state must draft an internal procedure stipulating that tenders involving the processing of external information must not be issued without the National Cyber Security Authority’s examination.
Already last year Omer Kabir reported in Calcalist that the cyber authority laid out a plan to draft standards for cyber protections among the ministries’ service providers. The authority issued an instruction requiring supply chain provides to issue a permit confirming they adhere to the standards set by the National Cyber Authority. However, this is still only a recommendation, which is expected to become compulsory during the next year.
Shirbit responded that it invests heavily in cyber protection and adheres to all the procedures and regulations. The cyber authority and the Defense Ministry declined to comment on this report.