Iranian Hackers Hit 80 Israeli Firms as Massive Cyberattack Continues

Pay2Key, an Iranian ransomware gang, is only active since November but has already managed to wreak havoc on Israeli companies

Send in e-mailSend in e-mail
Pay2Key's ransom note. The group is an Iranian cyber gang focused on ransom attacks and has hit at least 80 Israeli firms.
Pay2Key's ransom note. The group is an Iranian cyber gang focused on ransom attacks and has hit at least 80 Israeli firms.Credit: Check Point

Recent days have seen reports of at least two serious cyberattacks against Israeli companies. The first targeted Israeli software firm Amital Data and some 40 of its clients, and the second was against Habana Labs, a processor producer working under Intel. The two attacks are being attributed to the Iranian hackers Pay2Key, which is targeting Israeli firms at a rapid and alarming speed. New details of the attack, revealed by OP Innovate, show its scope was much wider than previously known.

Cyberintelligence research conducted by OP Innovate and published this Wednesday reveals that the Iranian hackers managed to break into more than 80 targets in the Israeli market. OP Innovate CEO Omer Pinsker, who led the research, and Shay Pinsker are aiding a number of Israeli firms as part of their response teams. This access makes them especially poised to report about the attack and the attackers. Sources within the company say they are trying, with the help of Israel’s cyber authority, to find and reach out to all the victims of the Iranian-attributed attack and even warn other potential targets.

According to the firm, despite the relatively serious damage caused by the attack, which targeted Israel specifically, the hackers themselves were not top-tier hackers. They say the current assessment is that they managed to penetrate the Israeli systems with the help of some remote access service - very likely a VPN, or virtual private network - and then used open-code software available for free online to actually break into the systems. This bodes poorly for Israel and shows just how exposed the firms were, the researchers say. 

“It is very important to increase preparedness of organizations for such attacks,” Omer Pinsker, the CEO, says. “In recent weeks, we have been working day and night to try to stop this wave of attacks. In a case when an organization realizes they are the victim of an attack, we recommend they deploy a rapid response team before any change is made to their system or any files deleted,” as is common in such attacks as part of attackers attempting to hide their tracks. “This will help with the forensic analysis into the attack and its motives,” he says. 

Pay2Key is an Iranian ransom gang which focuses almost exclusively on Israel. The group is active since November but has already managed to hit a large number of firms. Their modus operandi is usually to demand a relatively small sum of money in return for releasing stolen data, somewhere between $100,000 and $130,000. A review of the transfer of Bitcoin to Pay2Key, conducted by Check Point and Whitestream, revealed the money was being moved through an Iranian cryptocurrency exchange. It also revealed a number of Israeli firms had paid out the ransom. 

As part of their research, they identified what is termed IOC - or indicators of compromise - which allow them to understand which computers or systems were hit. This can be done in-house by a company by scanning all the different file names being used by the attackers. Moreover, the researchers found a way to halt the attack, at least in its current form, by making a few simple changes to their firewall and operating system. These changes made it impossible for the attackers to remotely control what is termed the command and control server. 

These, as well as other measures to slow or thwart the attack, were organized into a sort of guide by the company with a view to help other Israel firms recuperate from the attack.

Regarding the Amital attack, the current assessment is that a massive trove of information was stolen in the attack on the company and those using its software, though it is still unclear which information was taken. Amital’s website is not live currently and in addition to Israel’s cyberauthority, the private cyberfirm Comsec is consulting the company as it reels from the attack.

A slide from a Check Point report on how bitcoin from a ransomware attack eventually made its way to Iran.Credit: Check Point

Two weeks ago, Shirbit, a prominent insurance company, was targeted in an attack that the cyberauthority described as a form of “extortion” that others said was motivated by ideological motives more than financial ones. 

Haaretz has reported in recent weeks about a number of cyber attacks and the increasing spillover of techniques used by cybercriminals into the offensive cyber arena. Regarding Pay2Key, Lotem Finkelstein, head of cyberintelligence at CheckPoint, told Haaretz’s Omer Benjakob that “ransomware is immediately associated with cybercrime and money, and rightly so. However, ransomware serves more motivations than solely financial gains.

“We have seen, for example, hacktivists using ransomware to carry specific messages to the targeted organization, or to serve a certain idea,” he says. “This was the case with the Pay2Key ransomware, where an unknown Iranian group of hackers attacked mainly Israeli companies with cutting-edge ransomware. While doing everything they could to collect the ransom, the geopolitical characteristics [of the attack] also suggest the hackers were also ideologically driven.”

Comments