Exclusive: Intricate Hack Against Israeli Crypto Leaders; 'Mossad Investigating'

Dozens of cryptocurrency executives in Israel had their phones hacked and their online identity stolen in a rare and concerning attack

Amitai Ziv
Send in e-mailSend in e-mail
A man checks mining equipment inside their bitcoin mine near Kongyuxiang, Sichuan, China.
A man checks mining equipment inside their bitcoin mine near Kongyuxiang, Sichuan, China.Credit: Paul Ratje/For The Washington Post via Getty Images
Amitai Ziv

About 20 Israeli cryptocurrency executives were asked to pay digital currency after their phones had been hacked and their identity was stolen in a unique and concerning cyberattack that took place at the beginning of September.

The failed attack, being reported here for the first time, was carried out by a sophisticated team that may have been state-sponsored. It also involved a major telecom company, a cyber firm called Pandora and perhaps even the Israeli Shin Bet. We can also reveal for the first time that the Mossad and Israel’s National Cyber Security Authority were involved in the investigation. 

“On September 7 we were approached by a new client, a deputy chief financial officer of a company who said his mobile phone had been hacked during the night, and that his Telegram account and perhaps other accounts had been breached,” says Tzahi Ganot, co-founder of Pandora Security, a cyber consulting company specializing in protection for executives in sensitive positions.

>> Do you work in Israeli hi-tech and have a story to share with us? We can promise full anonymity: Click here to send us an enycryped email

“The hackers sent messages to this man’s contacts from his Telegram account in his name and asked them to send cryptocurrency,” Ganot says.

Tzahi Ganot, co-founder of Pandora Security, a cyber consulting company
Tzahi Ganot, co-founder of Pandora Security, a cyber consulting companyCredit: Ofer Vaknin

“We sent the executive a price offer and I tried to figure out with my partner how his phone had been hacked – whether it was by a duplication of his SIM card or by installing a malware application onto his phone.”

Taking over a Telegram or Whatsapp account is possible, but no simple task, he said. “We sent a report of the case to our clients and to a few digital currency groups we are members of. 

“I went to sleep and the next morning I was flooded with messages from people I know and from some I don’t, all with similar complaints of being hacked.”

“Altogether there were about 20 victims, all CEOs and vice CEOs who run digital currency projects. In many of the cases, their Telegram apps had been hacked, but in others it was their Gmail and Yahoo mail accounts. 

Employees work on bitcoin mining computers at Bitminer Factory in Florence, Italy, April 6, 2018. Picture taken April 6, 2018.
Employees work on bitcoin mining computers at Bitminer Factory in Florence, Italy, April 6, 2018. Picture taken April 6, 2018. Credit: REUTERS/Alessandro Bianchi/File Photo

“In all the cases, the identity theft used the phone to conduct a user verification process with the help of SMS - and in all cases, the victims were clients of [Israeli telecommunications giant] Partner,” he says. 

Numerous digital services allow entry or renewing passwords through SMS verification. If the client has difficulty entering the account, they receive a temporary code by SMS and use it to enter the service and replace their password. An SMS message is seen as private and relatively safe, he says.

However, in this case, it seems the attackers found a way to hijack SMS messages sent by Partner. “Stealing a user’s SMS messages is not simple and isn’t supposed to be accessible to private individuals,” says Ganot, who before founding Pandora worked in NSO for a few years with his partner.

“Theoretically it’s possible, but the hacker must be physically close to their target, so it’s hard to believe there’s a person wandering around Tel Aviv and getting close to so many people without being caught by the Shin Bet. Also, there’s the weird part that all the victims are clients of Partner,” he says.

Pandora’s investigation revealed that the incident was most likely what is termed an SMSC spoofing attack, explains Ganot. In this kind of attack, which uses a phone’s roaming function, hackers need access to some cellular network in the world that interacts with Israeli cellular networks, he says.

“It’s a rare assault. The hackers send a message from  a foreign cell network to an Israeli one, updating the client’s location. For example: ‘The client has just landed in Tbilisi, he has registered with our network. Please route his SMS messages via this network.’  

"This is a necessary procedure for people entering a foreign country, whose cell phones are in ‘roaming’ mode.”

Someone, most likely from a foreign state, managed to hack into the cellular network of another country, and in this case was likely the origin of the attack in Israel, if not additional ones in other countries. 

“From the moment the victims were registered to the foreign network, they stopped receiving text messages. In some cases, they also lost reception or their phone underwent a restart,” Ganot says, explaining how this way, the hacker stole the SMS messages of Partner clients and thus hacked their online accounts.

“I know of about 20 people who fell victim to this hack, but that’s only in this cryptocurrency community. I have no way of knowing if it happened to others as well, like Israeli financial executives or journalists,” says Ganot.

The Shin Bet classifies Israeli telecommunication networks as critical infrastructure and their data security is supervised by the National Cyber Security Authority, which gets its mandate from secretive security organization. 

Ganot says Partner mishandled the incident from the start. “Partner replied to our queries with ‘what does it have to do with us?’ ‘We don’t have a data security team,’ and ‘we have sales or customer service.’ One representative even suggested I join their anti-virus service for five shekels a month,” he says.

'Shin Bet and Mossad involved'

Ganot contacted Partner’s data security director Yaniv Sabag. “He asked for the victims’ details and phone numbers but afterward he asked that each one of them approach customer services separately and open a call, otherwise he wouldn’t be able to look into their cases. I can tell you that to this moment I haven’t been able to ‘open a call’ in Partner and I’m a business client of theirs - or, more accurately, I used to be one,״ says Ganot.

“Finally Sabag said they were checking out the incident – but a few days later they cut off all communication, not only with us, but also with their hacked clients, and didn’t answer their queries.”

Following the incident Ganot left Partner, as did most of the other victims. Some of them filed police complaints. The National Cyber Security Authority was also briefed but in keeping with their hush-hush tradition, wouldn’t give any answers and would only hinted that a similar case had occurred earlier this year in another network. “I know there were people in the Shin Bet and the Mossad who were involved in this case,” says Ganot.

Asked why the latest hacking occurred only in the accounts of Partner clients, Ganot suggested other networks may have a firewall protection that Partner doesn’t to make sure the system isn’t misused. “It identifies anomalies in the user’s behavior and blocks such communication,” he said.

Despite the breach, the hack overall failed because none of the victims, as far as Ganot can tell, fell for it and transferred money to the hackers. The original hackers’ identity remains unknown.

“It can’t be someone from North Korea or Iran, because their cellular networks aren’t connected to Israeli ones. There was a similar incident in Russia in December. There has to be a certain environment in a country to enable dubious individuals access to telecom networks. Anyway, it’s Partner’s responsibility to investigate the case,” he says.

Do you think this happened only with this network?

“It is possible other cellular networks have better defenses. Maybe Partner doesn't have a firewall,” Ganot says. 

In response to the report, Partner said: “There is no connection between this incident and Partner. Incidents like these can take place - especially during the coronavirus - to clients of other firms as well.”

Comments