Iran Suspected After Massive Cyberattack on Israeli Firms Revealed

Send in e-mailSend in e-mail
Send in e-mailSend in e-mail
Iranian President Hassan Rouhani gives a virtual speech. Is Iran behind a recent string of cyber attacks on Israel?
Iranian President Hassan Rouhani gives a virtual speech. Is Iran behind a recent string of cyber attacks on Israel?Credit: Tiffany Hagler-Geard - Bloomberg

At least 40 Israeli companies were affected by a cyberattack very likely from Iran, after Amitai Data, which sells software to logistics companies was targeted by hackers.

News of the hack and subsequent data leak from firms using Amital Data's Unifreight software was revealed in a filing to Israel’s stock exchange by Amital's stockholder Orian.

Meanwhile, a hacking team called Pay2Key, which in the past was linked back to Iran, made a public statement regarding an attack it launched in September against yet another Israeli firm – Habana Labs, which is owned by Intel and provides AI solutions. The hackers said they had full control over the Israeli company’s system, including access to sensitive data. 

‘40 firms hit’

Regarding the Amital attack, the current assessment is that in the attack on the company and those using its software, a massive trove of information was stolen, though it is still unclear which information was taken. Amital’s website is not live currently and in addition to Israel’s cyber authority, the private cyber firm Comsec is consulting the company as it reels from the attack.

Amital said that “two weeks ago we identified offensive attacks against our systems and clients’ computers. The incident is just one link in a chain of incidents taking place simultaneously at the national level that are being followed closely by the cyber authority. As is our protocol, our defenses are now being bolstered and a special situation room was set up to address any issue that arries. The firm is using cyber experts to contain the incident and at this point the damage seems localized." 

Two weeks ago, Shirbit, a prominent insurance company, was targeted in an attack that the cyber authority described as a form of “extortion” that others said was motivated by ideological motives more than financial ones. 

Orian told Israel’s stock exchange that “last week we received a warning from one of our software suppliers (Amital) that it had been involved in a cyber event and that information stored on one of our servers was leaked alongside that of 40 other companies.”

“The leak was closed within a number of hours and after an investigation which included Amital we have an assessment about which information was leaked. However, we cannot confirm for certain the identity of the leaked information. Orian is working with Israel’s cyber authority and will continue to bolster its cyber defenses and prevent such incidents from happening in the future,” it told the stock exchange. 

This type of attack is termed a “Supply Chain Attack” in which sensitive information held by a certain company is reached indirectly, through external programs provided by their suppliers. Software providers are usually the main target of such attacks and this “attack vector” as cybersecurity researchers call it is very hard to defend against.

The attack against Amital's Unifreight program is not considered a ransom or extortion attack attributed to criminals, but rather it is being treated as a state-run operation, with Iran being the main suspect. 

A slide from a Check Point report on how bitcoin from a ransomware attack eventually made its way to Iran.Credit: Check Point

Cybercrime or Iranian op?

Last month, Check Point, Israel’s most famous online security firm, revealed an extortion attack targeting Israeli firms that was linked back to Iran, or at least Iranians. That attack, known as Pay2Key, targeted Habana Labs, which is owned by Intel and develops processors for AI. 

On Sunday, the hackers revealed some of the data they stole, publishing on their Twitter what seems to be images from the firm’s internal system, revealing data which if true would be precious to the organization, as part of their attempt to extort the company. Additional data was leaked onto the darknet. 

“Based on what we’ve seen in the past few hours, the attacker claims they have ‘domain control’ - or the ability to control their victim’s network,” says Dean Bar, a partner in the superintelligence firm HackersEye.

“The information the hackers claim they have included internal documents, file and router names, and a whole lot of original code, including that which is the company’s actual product and developments. For example, the hackers claim they have thousands of original files regarding a product called Goya, including the design of one of the processors Habana Labs is developing.”

Haaretz has reported in recent weeks about a number of cyber attacks and the increasing spillover of techniques used by cyber criminals into the offensive cyber arena. Regarding Pay2Key, Lotem Finkelstein, head of cyberintelligence at CheckPoint, told Haaretz’s Omer Benjakob that “ransomware is immediately associated with cybercrime and money, and rightly so. However, ransomware serves more motivations rather than solely financial gains.

“We have seen, for example, hacktivists using ransomware to carry specific messages to the targeted organization, or to serve a certain idea,” he says. “This was the case with the Pay2Key ransomware, where an unknown Iranian group of hackers attacked mainly Israeli companies with cutting-edge ransomware. While doing everything they could to collect the ransom, the geopolitical characteristics [of the attack] also suggest the hackers were also ideologically driven.”

By following the money paid to the cybercriminals, Check Point’s research department managed to track the bitcoin paid by other vicitms of the Pay2Key attack back to Iran. “We followed the sequence of transactions, which began with the deposit of the ransom and ended at what appeared to be an Iranian cryptocurrency exchange named Excoino,” the company said in its report. 

“Excoino is an Iranian company that provides secure cryptocurrency transaction services for Iranian citizens,” the original Check Point report added. The site requires a valid Iranian ID card to be able to transfer funds, indicating that at minimum these attacks involved Iranian nationals at some level. The firm said they suspected that Iranian hackers with very advanced skills were behind the attacks.

Click the alert icon to follow topics:

Comments