Hackers linked to Iran claimed Sunday evening they successfully hacked into Israel’s state-owned Israel Aerospace Industries.
How COVID – and Israel’s Trump-brokered lovefest with Arab states – are affecting Palestinians
In a tweet and update to their website, the Pay2Key hackers revealed internal data from the Israeli defense contractor in what cybersecurity experts say is a clear escalation of the attack on Israel.
The claims regarding the IAI come after a week in which it was revealed the group had targeted more than 80 Israeli firms. The hackers, first discovered by Israeli cybersecurity firms in November, are a group of cybercriminals focusing on ransom attacks.
However, experts attribute ideological as well as financial motives to the recent attacks. The so-called hacktivist group was linked back to Iran after ransom money paid out to them in bitcoin was traced back to an online currency exchange in Iran.
At the end of last week, the hackers tweeted out a poll asking their followers which Israeli organization was most likely the safest in terms of cyber defense: Israel’s health ministry, its transportation ministry or the IAI. On Sunday evening, the hackers posted a tweet claiming it was the latter.
Their website on the so-called darknet revealed information seemingly indicating that they had at some point indeed managed to enter the IAI’s internal system, which sits on the ELTA.co.il domain.
- Iranian hackers hit 80 Israeli firms as massive cyberattack continues
- ‘The Iranians are waiting for the Israeli response’: Who is behind the latest cyberattack on Israeli firms?
- Iran says one of two 'large scale' cyber attacks targets country's ports
They posted the details of about 1,000 users from the defense contractor’s internal system, purported proof they managed to hack the IAI and may have access to sensitive information as well.
The information leaked was not sensitive itself and included information like workers’ names and internal computer registries. No demand for ransom was made and it is very likely the hack took place in the past and that the hackers do not currently still have access to the system.
But it may very well indicate that at some point the hackers did have access to the internal system’s main directory of files, which includes research, technical documents and internal data.
The IAI has yet to respond but sources with knowledge of their thinking say they do not currently fear sensitive information was stolen during the breach.
A defense contractor with some civilian aviation businesses, IAI is the largest state-owned company in Israel by number of employees – about 16,000. It had revenues of $2.1 billion in the first half of this year and a net profit of $48 million from anti-missile systems, drones and precision-guided weapons, mostly for export. It is also one of the two firms leading Israel's 2024 bid for a moonshot.
“This is another escalation in the campaign,” said Omri Segev Moyal, CEO of the cybersecurity firm Profer that has followed the case after the group’s announcement Sunday.
Einat Meyron, a cyber consultant, added that despite this, it is important to remember that “not every hack means full access."
"Defense bodies have different networks and workers who have access to the closed classified system cannot usually also go online to the public internet. Did Pay2Key gain access to classified servers? Sadly, we do not know and will have to wait as they will have no issues revealing any flaw they exploited if indeed there was one," Meyron said.
Pay2Key was discovered in November in a joint research project by two Israeli cybersecurity firms, Check Point and Whitestream. Initially, the group was thought to be another band of cybercriminals active in the field of ransomware.
Ransomware attacks tend to follow a similar pattern: a company is targeted, its files either stolen or encrypted, and they must then pay a ransom to have the information released. However, this group was slightly different and requested small sums while showing “concerning” tradecraft usually reserved for more advanced hackers, if not those affiliated with a nation state.
Even before linking it back to Iran, Check Point warned in their report that the attackers had “advanced capabilities’’ not usually associated with cybercriminals. Lotem Finkelstein, head of cyber intelligence at Check Point, told me last Thursday that in some of the cases revealed in the past, the attackers managed to take control “of the entire network within an hour,” whereas most criminal operations will “take a few hours if not days – say, the entire weekend.”
“This is the type of skill we have only seen from the most skilled hackers in this business,” he said. “The fact that this operation also had what is termed ‘operational security’ (or OpSec) covering their tracks is impressive. The fact that this is a new group showing such skills is suspicious, because in what seems like a very short time, it managed to learn the business, make up for lost time and emerge as a serious player on par with teams with much more experience. It’s almost as if they didn’t need any practice, as if there’s simply no learning curve,” he said.
“This is a team with very advanced and focused capabilities that we have seen active now for a number of months,” Whitestream CEO Itsik Levy said of the group he helped first discover on Thursday. “The recent wave is undoubtedly a milestone that will bring about a change in the way information security is managed in Israel. “My belief is that this needs to be treated as a terror attack on a national level,” he continued.