This Israeli Dropout Is on the Front Lines Against Iran

Send in e-mailSend in e-mail
Send in e-mailSend in e-mail
In the war waged by Iranian hackers against Israel, Omri Segev Moyal's Profero is on the front lines
In the war waged by Iranian hackers against Israel, Omri Segev Moyal's Profero is on the front linesCredit: Ofer Vaknin
Amitai Ziv

The wave of attacks over the last year provided much work for defensive cyber companies like Profero Cyber Security, founded by Omri Segev Myal and Guy Barnhart-Magen. “Right now, as we’re talking, we’re handling six incidents at once, some of them small, the others big. One of them is a ransomware attack, while another is a classic deception of a CEO by email, which led to the theft of $100,000,” says Segev Moyal.

In an interview, Segev Moyal points to several factors that link these attacks - usually but perhaps erroneously considered to be criminal and not political - to Iranians. “When we analyzed the logs [a computer’s activity record] of one of these attacks, we saw that they were looking for specific documents on the [victim’s] server, for infrastructure or secret military projects. In some cases, we saw that the hacker opened a document, waited for two hours, and then closed it. We think that they were waiting for someone who could read Hebrew.”

Further proof that these attacks were not actually aimed at collecting a ransom, says Segev Moyal, is the amount of public attention the hackers tried to pull to their break-ins. This is not typical of your usual cybercrime ransom attacks, in which the extortionist and the victim both have an interest in ending the incident quickly and quietly. 

A ransom note from an Iranian cyber gang focused on ransom attacks and has hit at least 80 Israeli firms.Credit: Check Point

The Iranians try to embarrass Israel by spreading the news, he says. “There were cases in which journalists knew about an attack before the victim found out,” says Segev Moyal.

The Iranians attack through several groups – Black Shadow, which specializes in stealing information and releasing it on Telegram channels it created; Pay2Key, which specializes in ransomware viruses; and Networm, which apparently is a new version of Pay2Key. 

“We’re at war with Iran, and you can’t call it a shadow war anymore,” says Segev Moyal. “It’s open warfare. It includes assassinations of key figures, but most of it occurs in the cyber arena.”

Are we losing this war?

“They have had many successes, not necessarily technical ones, but in marketing, in public relations. It’s commonly said that anyone can create a serious cyberattack today. That’s not true. You need a powerful state with technological abilities behind you, infrastructure and organizational military capabilities. 

Negotations between Israel's Shirbit insurance and the hackers that stole its data

Hamas, with three hackers working in some hole, can’t topple Israel. The Iranians would like to disable an entire country, and they’ve had some successes. Are they saving special capabilities for a doomsday scenario? Perhaps.”

What’s the big secret? How many Iranian attacks have there been so far?

“So far, there have been 32 publicized attacks in the last year and a half. These are attacks that were revealed on the websites of cyberattack groups or ones that came to the attention of the media. I count the attack on Amital Data as a single incident, even though 40 companies were affected.”

Sending victims an invoice

Profero, founded last year by Segev Moyal and Guy Barnhart-Magen, is what is called an incident response (IR) company, something akin to a rapid-response team in the cybersecurity world. By the time they’re called in, the victim has already been hit, sometimes accompanied by a demand for ransom. “We do only that. We’re not a consulting firm or one that sells products,” explains Segev Moyal. “That way, we don’t find ourselves in a conflict-of-interest situation. Our job is to enable a company to come out of a crisis in the best manner possible.”

There are quite a few cybersecurity companies out there, including ones such as OP Innovate, Clearsky and Konfidas. Such companies reportedly charge between $150 and $800 an hour per person for the services they provide. “The price in a big incident can reach hundreds of thousands of dollars,” says Segev Moyal. “But this is negligible, compared to the cost of a company being paralyzed and the harm to its brand and reputation.”

So, is your briefcase always full of equipment?

“Always, even the one I’m carrying now, although most incidents can be handled remotely. The company has no office. You can’t work remotely if it’s not part of your daily activities. The company employs people in New Zealand, Singapore, Colombia and other countries. At any given moment, there are six people available to tackle an incident. It’s faster and more effective than flying someone out, but in some extreme cases we do have to get to the customer.” 

Networm may actually be Pay2Key - a group of allegedly Iranian hackers involved in an attack on over 80 Israel firms a few months agoCredit: Screen capture

For competitive reasons, Segev Moyal prefers not to reveal the exact number of people he employs, but it is believed to be more than 20.

Do most attacks come from Iran?

“Most of them don’t. What we hear in the media relates mainly to Iran. The coronavirus pandemic generated a significant increase in cybercrime since people couldn’t go out, and there was hardly any physical crime. Why should I break into a store if I can simply send someone an email and tell them I saw him surfing on a pornography site? 

"The cyberattack axis of evil – Russia, Ukraine and North Korea –  encourages cyberhacking companies working from their territory. Even China, which once only engaged in data theft, has expanded to economic crimes. In these countries, it contributes to the local economy since the money goes into the pockets of individuals and companies, who sometimes even pay taxes on it, while slowing down the West.”

Is the handling of these cases different?

“Totally. In one case where the attacker was the Pay2Key group, the customer had already made the first payment, but then we analyzed the address of the Bitcoin purse the attackers had provided for paying the ransom, and we realized it was coming from Iran. We told the customer to stop, that this was money going to a foreign country that might be financing hostile activities.”

And when it’s a criminal incident?

“We check that it’s not part of a campaign by a foreign government and that there wasn’t substantial damage to business and that no information leaked out that required disclosure. If so, the company often decides to pay, with no one finding out about the incident. Chris Kyle, who wrote the book American Sniper, said that ‘despite what your momma told ya, violence does solve problems.’ So, in contrast to what people tell you, paying ransom sometimes solves the problem. In some cases, we ‘laundered’ the attacker. The company paid up and the attacker sent an invoice as if it had done a cyber-related consulting job.”

What’s the highest ransom ever paid by a company you worked with? 

“It was $12 million, but there are other cases out there in which much higher amounts were paid. Several sources claim that the Israeli company Tower paid over $10 million in a ransomware attack last year, in addition to the massive cost of having its assembly lines halted at a particularly busy time of the year.”

Cyber-hygiene

Segev Moyal admits that he’s a strange bird in the cyberworld, and he’s probably right. “I don’t have 12 years of schooling and I wasn’t in a tech unit in the army.” He grew up in the Haifa suburb of Nesher. He was introduced to computers by his grandfather, a retired worker at the Nesher cement factory. 

Omri Segev Moyal is working to protect Israel's digital home front: ‘We’re at war with Iran, and you can’t call it a shadow war anymore’Credit: עופר וקנין

“At the age of 70, he decided that this was the next thing.” He bought a computer and started learning programming and teaching his grandchildren at the same time. “He bought me a computer against the wishes of my father, who was a battalion commander in the army and didn’t understand why I needed one.”

When Segev Moyal’s computer was infected with a virus, he learned how to fix it himself, starting his long romance with the cyber world. “While still in the army I got special permission and started working in this area.” After the army. he went on a trip to New Zealand. “In New Zealand, it’s easy to get into university after the age of 21, and when I was there, there was a big earthquake and all the foreign students dropped out. I started studying computers and even received a scholarship. I didn’t graduate –  it seemed like a waste of time.”

Later in his career, like many people in this field, Segev Moyal set up a product-oriented company called Minerva Labs, which still exists. After five years he felt that the market needed something else. “In 2019, I sat down with Guy Barnhart-Magen, who was at Intel at the time, and we recognized that there was a problem in that companies didn’t have the technology or people to deal with cyberattacks. We decided to set up a company devoted to such incidents.”

A few days ago, Segev Moyal revealed some critical information that has only been known to insiders: A large share of the attacks over the previous 18 months –  something like half –  the vulnerability that hackers had been exploiting was via Fortinet, a company whose services are very popular in Israel both as a relatively low-cost paywall and a virtual private network (VPN). “A well-known weakness in Fortinet's device was the No. 1 cause of the Iran-backed attacks on Israel that you’ve heard about," Segev Moyal tweeted. 

Isn’t it ironic that a device that is supposed to protect networks ended up being the source of a security breach? 

“It’s terrible. These devices, most of which, by the way, are made by medium-sized companies, not first-string players, are very problematic. They give you a sense of security, but it is very difficult to work with a complicated set of rules and lots of vulnerabilities.”  

Doesn’t it seem a little anachronistic to be using a physical device when today there are so many cloud-based solutions, such as Zscaler?

“Completely. Using a VPN device today is like buying a horse-drawn carriage. We recommend Zscaler, Cloudflare or any other cloud solution to organizations.”

Segev Moyal reveals a list of cybersecurity failures. First, the use of outdated solutions. Second, and more serious, the vulnerabilities in Fortinet products through which Iranian hackers have been known since about 2019 to penetrate networks. If organizations would update their hardware to the latest versions and change passwords frequently, hackers would have a much harder time. But organizations don’t do it and leave the door wide open to attacks, he explains. 

Some of the information shared by Black Shadow on Telegram.Credit: Screenshot/Telegram

“To be honest, updating a firewall isn’t an easy matter, because in a small organization where there may be only one standard it means shutting down temporarily. So, I think they need to move to cloud solutions, which by definition is constantly being updated to the latest version.” 

Another thing that has been revealed by the wave of cyberattacks is that most security products, including the best-known ones in the market, aren’t necessarily able to detect attacks and block them. “You'd be surprised, but even many of the EDR [the latest generation of end-user solutions] failed to warn of an attack,” says Segev Moyal.  

‘There’ll be no one left to attack’

So what can you do? Segev Moyal answers with one word: “Hygiene.” 

By the term “cyber-hygiene,” he means a series of Sisyphean operations, such as a complete separation of work environments and networks, procedures for allowing new employees into the network and ensuring they are removed when they leave the organization, regular password updates, permissions and access policies by according to employee category, dual-stage authentication protection (e.g., a password and text message) for accessing sensitive services, encryption of sensitive assets like the main management tool for a big organization's computers and so on.

“In most medium-sized organizations, the information systems manager has two options,” says Segev Moyal. “The first is to separate networks within the organization, to update systems, to manage passwords and to move applications to the cloud – in other words, doing a lot of hard, thankless work. 

“The second option is to have an experienced salesperson come to the company who will recommend certain cybersecurity products and promise they will solve all your problems. For 100,000 shekels, you’re set. That’s what most managers choose. But the truth is that that option doesn’t stop everything, especially a stubborn attacker. In one incident, we saw the attacker try to penetrate the system 16 times with remote software. Eventually, they succeeded.” 

Who makes the decision at the end of the day?

“There are CEOs that really care about cybersecurity, and they call us directly and consult. But they’re a minority. In a directors course, you learn a lot of things –  finance, human resources, law –  but they have only recently begun teaching about cybersecurity.”

So, it’s the managers who are to blame?

“Not only them. Compare it to something in the real world. Say that there’s a group of armed Iranians entering a park in Tel Aviv, robbing stores and uploading a video of the whole thing to TikTok. It’s a matter of national importance. If so, then I say take national responsibility for incidents like that. In the case of the attack on the Shirbit computers, for example, the Shin Bet security service or some other government agency should come and say: ‘This is an anti-Israel act and we are going to help.’ But here the company is left to fend for itself. 

The offices of Shirbit, which suffered a major cyber attack, in Netanya, December 12, 2020.Credit: Avishag Shaar-Yashuv

“The U.S. The Treasury Department issued a statement in October 2020 prohibiting the paying of ransom to the Lazarus group because it is from North Korea. This made it easier for companies. Why haven’t we seen anything similar about Iranian ransomware groups? In my opinion, if a company is harmed in an incident like this, it should be compensated by the state.”

But we have the National Cyber Directorate. They don’t play this role for Israeli companies?

“In the incidents with which we have been involved, they sometimes do excellent work and sometimes catastrophic work. But my question is what is their goal. Is it a body intended to protect Israel or is it an arm of the Shin Bet? It’s hard to know what they want. They collect information but don’t share it. Are they a technical body? An intelligence organization? It always seems that behind it is some kind of undefined interest, but it’s not the interest of the company that’s been attacked. Sometimes I have the feeling they want to keep the conflict with Iran going but on the backburner. Why does the agency report to the Prime Minister’s Office and not to the Finance Ministry, for example?”

Igal Una, head of the cyber directorate, makes a presentation to the former prime ministers of Israel and Greece, Benjamin Netanyahu and Alexis TsiprasCredit: Kobi Gideon/GPO

The National Cyber Directorate said in response that, “the directorate has launched a new national program, which combines the capabilities of the government with those of private IR companies to help us contend with attacks. We invite everyone who has not yet joined to take part in the program, take advantage of our rapid information-sharing system and get to know the added value of what we do."

Segev Moyal says he thinks that things will get worse before they get better. “In the last few weeks, we’ve seen the attack on the Colonial Pipeline in the U.S., production stopped at the JBS meat plant and attacks on health care institutions. I think that hackers don’t have a lot of places left to attack, so they’re going to more sensitive places, like security installations, factories and hospitals. 

“Countries will have to recalibrate, as they did when they cooperated to stop money laundering. It will happen when they come to realize that ransomware attacks are harming productivity. " 

Click the alert icon to follow topics:

Comments