Analysis |

Israel's Latest Data Breach Was a Perfect Storm of Negligence and Smugness. It'll Happen Again

A hacking group's breach of CyberServe's servers and the leak of sensitive personal information that followed prove that the authorities that are supposed to protect us were asleep at the wheel

Oded Yaron
Oded Yaron
Send in e-mailSend in e-mail
Send in e-mailSend in e-mail
The Black Shadow hacking group's website.
The Black Shadow hacking group's website.Credit: Screenshot
Oded Yaron
Oded Yaron

A decade ago, in November 2011, the American government received a warning that sounded a bit ridiculous at the time. Richard Clarke, a senior information security adviser to three different presidents, warned that America’s critical computer systems were so vulnerable that it ought to deter governments from going to war.

Similar warnings have since been heard in Israel, too. But the country continues to be its own worst enemy. Even though a few substantive steps have been taken, hidden among a plethora of bombastic statements, it’s hard to say that our situation is much better than the one Clarke described a decade ago.

Until recently, we were lucky, and most attacks ended with little damage. But several attacks in recent months – especially the ones on the Hillel Yaffe Medical Center in Hadera and the CyberServe company – show that the Israeli mantra of “everything will be fine” is no longer true.

We’ve reached the point where lives are being endangered. For instance, a security researcher who examined the database leaked from gay dating site Atraf estimated that it included a few thousand users who identity as ultra-Orthodox. “I can’t imagine the dread they are definitely feeling right now,” he said.

The delicate situation they are in now didn’t magically appear. It’s the monstrous offspring of a union between negligence at every possible level, foot-dragging by the authorities and a lack of appropriate legal infrastructure.

Various Justice Ministry officials have issued statements over the past week about the steps being taken to reduce the damage done by the leak. The prosecution’s cyber department said it had asked Google to have its search engine block access to the Black Shadow group’s websites, and that Telegram had removed two of the group’s channels as well. On Thursday, it obtained an injunction ordering internet service providers to block all the group’s sites.

But none of these actions actually change anything.

Perhaps Telegram will block more channels. But since that statement was issued last Tuesday, Black Shadow’s Telegram channel (which this writer reached through a simple search) has managed to publish several databases, including that of the Mor medical institute. Only Thursday morning, following repeated pleas by the cybersecurity department, was the group’s main Telegram channel no longer reachable through a search.

Google has admittedly removed the website from its search results, but only in Israel. On a search using the Tor browser, the site continued to appear in the search results when using a non-Israeli IP address. VPNs – a simple solution that many Israelis in fact use – also enable users to circumvent this “removal” easily.

And if all this weren’t enough, the site itself can still be accessed from search results; Google’s search engine is happy to help even users with Israeli IP addresses link to it directly. When I typed the words “black shadow” in the search window, the search engine suggested that I search for “black shadow Atraf.” I accepted that suggestion, and the link to the website was the fifth result on the list. Again, only on Thursday morning was the result for “Atraf” no longer available.

The court order demands that ISPs institute a DNS block, but the order applies only to ISPs in Israel. Analyst Ran Bar-Zik has written repeatedly in Haaretz about how easy it is to get around this kind of block. Many users have already implemented such bypasses (by changing some simple definitions in their browser) because of ZIRA, a consortium of media companies that works to stop copyright infringement on the internet, and its success in blocking file-sharing sites.

The Justice Ministry’s cyber department isn’t the only government body taking action following the Atraf hack. The ministry announced that its Privacy Protection Authority “opened an investigation a few days ago against the company that hosts the site on suspicion of negligence in securing the information prior to the attack.”

The authority has barred the company from putting the site back online and will continue to do so “until further notice,” the ministry statement continued. It has also demanded that the company personally notify everyone whose information has leaked or might yet leak, tell them what information has leaked and advise them on what steps to take.

The tone of the statement was fairly firm. But it’s hard to avoid asking whether this firmness isn’t two years overdue. That’s because the Privacy Protection Authority received a complaint about security breaches in Atraf’s site two years ago, but failed to open any investigation against the company or take any other action.

“In 2019, the authority received a complaint about information security at a website hosted by the company, following which a localized examination was conducted and information security problems were discovered,” the ministry said in response to a question from Haaretz. “The authority instructed the company to fix the problems. The company did fix the problems and informed the authority about the steps it took, including putting an updated version of the site online and taking other steps to protect users’ information that were relevant at that time.”

Medical staff working manually after the cyberattack on Hillel Yaffe Medical Centr, Hadera, in October.Credit: Amir Levy

“Every complaint received by the authority is examined on its merits, but naturally, not every complaint leads to opening enforcement proceedings, and often, based on various considerations – including the substance of the complaint, the resources needed and the possibility of dealing with it quickly on a case-by-case basis – enforcement proceedings aren’t opened, as happened in the case of the aforementioned complaint,” its response added.

Asked whether it made do with the company’s report on its own actions or had Justice Ministry researchers confirm that the corrections were made, the ministry said, “In cases where an order is given to fix problems in response to a complaint received by the authority that was investigated by professionals, the authority demands that the party investigated provide a detailed report about the problems it fixed and it then examines this report.

“In this case, the company provided details about the way it dealt with the problems to the satisfaction of the information security expert who handled the complaint. The authority conducts checks of reports provided by those it supervises ... in cases where a suspicion arises, despite what the report says, that the law has been broken.”

The ministry also noted that since then, no additional complaints had been received about the site. “On the face of it, there is no connection between the complaint received in 2019 and the security incident that occurred at the CyberServe company a few days ago,” it added.

It is certainly possible that the problem discovered in 2019 was indeed fixed and had nothing to do with the current fiasco. Nevertheless, the ministry’s response provides grounds for suspecting that it makes do with the company’s own report of what steps it took rather than checking for itself that the issue has actually been fixed.

No further complaints? Well, except...

As for the lack of any subsequent complaints, it’s worth noting that in reality, there was no shortage of them. Since 2019, the National Cyber Directorate has informed the company of security breaches in its systems no fewer than six times.

The directorate refused to say what the company did in response to these notifications, but the directorate’s initial press statement following the latest incident includes a hint that it didn’t do much. “Over the last year, the National Cyber Directorate has warned the company several times that it is vulnerable to attack,” the statement said. What is missing is a sentence indicating that the company fixed the problems.

Moreover, the very fact that the directorate refuses to comment on what the company did to fix the problems it pointed out seems to indicate that the company didn’t do much.

One veteran information security researcher said that back in 2019, he informed both the company and the Cyber Directorate that he had discovered “back doors” installed by hackers on CyberServe’s systems. He said he found several web shells – programs that allow remote access to a server – that had been installed eight months previously.

“In other words, the company was wide open,” he said.

The company didn’t implement the Cyber Directorate’s recommendations, he said. “If they had, they would have been able to cope with the attack. But they have no idea how they [the hackers] got in.”

Nothing left but recommendations

The obvious question is why the Cyber Directorate only issued “recommendations,” rather than requiring the company to fix the problems.

And this is where Israel’s shoddy legal infrastructure comes in. The two agencies that are supposed to be in charge of this issue both have very limited powers. Consequently, they have very limited ability to force companies to implement necessary changes.

The Privacy Protection Authority’s mandate only extends to databases. Moreover, its powers derive from the Privacy Protection Act, which doesn’t set any fines for companies from which personal information is leaked.

Nevertheless, according to an internal authority document, it can inspect a company’s systems to ensure that problems were fixed (which, as noted, it doesn’t seem to have done). It can also set conditions for a database’s operation or even deny it an operating license.

Yet the agency doesn’t use these powers much, as was also evident in the case of the Elector voting app. All it did after a massive leak of voter information from that app was state that the company behind the app and the Likud party, which used it, were guilty of a “violation.”

There’s a slight hope that this time, something will happen – not because of the information security problems, but because, according to the researcher who studied the information leaked from Atraf, the hosting company apparently stored some profile information that users had asked it to erase. Under Justice Ministry regulations, that could lead to either a jail sentence or an administrative fine.

What about the Cyber Directorate?

“The directorate is a government body charged with protecting the State of Israel’s national cyberspace from cybersecurity threats,” says the agency’s website. But it doesn’t have the authority to tell companies to fix faults. In fact, in the case of Hillel Yaffe, the directorate isn’t the responsible authority. That is because according to the law, the directorate is responsible for critical infrastructure, and hospitals are not defined as such under the law.

In 2018, the General Data Protection Regulation went into effect in the European Union, which was nothing less than a revolution in protecting the privacy of Europeans. The GDPR is a series of regulations whose whole aim is to give control over people’s data to the people themselves.

Israeli law is far behind. The same year as the GDPR went into effect, a Cybersecurity Law was introduced in the Knesset, but its progress stalled, among other things due to concerns about the wide-ranging powers it would have given the Cyber Directorate. 

Last February, the law was revived – this time in a milder form and as a temporary order that deals more with privacy concerns. Among other things, it authorizes the Cyber Directorate and the Shin Bet security service to gather protected private data for national security purposes, if collecting it is permitted under the law or approved by the courts.

As an article by Dr. Tehilla Shwartz Altshuler in TheMarker last month noted: “The National Cyber Directorate was established as a security body, Shin Bet II, to defend critical national infrastructure. Its boss is the prime minister and it isn’t subject to the Freedom of Information Law.  When a security agency has broad powers to enter private computer systems, that should raise alarms. Beyond that, when a classified body like this has the power to decide, for example, when private companies can notify customers of cybersecurity attacks, that raises concerns that officials won’t be thinking about the interests of consumers first and foremost.”

Even if the interests of both consumers and the state are being taken into account by officials, that doesn’t solve all the problems. As attorney Haim Ravia, in an article in Law.co.il, noted, the law itself– with a court’s permission – provides an opening to it being implemented in situations far removed from cybersecurity.

When it is done without transparency, even an agency like the National Cyber Directorate, which is truly trying to improve Israel’s cybersecurity, can’t promise that it won’t use the law improperly. The history of the last few years shows that when there is nothing to stop the government, even a narrow opening can become a wide chasm, a slippery slope, of privacy violations.

Asked about what it has done in regards to a series of security breaches it has reported since 2019 to the Privacy Protection Authority, independent researchers and the Cyber Directorate, CyberServe declined to answer by press time.

Click the alert icon to follow topics:

Comments