Iran Suspected After Massive Cyberattack on Israeli Firms Revealed

Iran suspected to be behind massive attack last month, that saw up to 40 Israeli companies hacked; Intel-owned Israeli firm also hit in complex attack linked to Iranians

Amitai Ziv
Amitai Ziv
Send in e-mailSend in e-mail
Iranian President Hassan Rouhani gives a virtual speech. Is Iran behind a recent string of cyber attacks on Israel?
Iranian President Hassan Rouhani gives a virtual speech. Is Iran behind a recent string of cyber attacks on Israel?Credit: Tiffany Hagler-Geard - Bloomberg
Amitai Ziv
Amitai Ziv

At least 40 Israeli companies were affected by a cyberattack very likely from Iran, after Amitai Data, which sells software to logistics companies was targeted by hackers.

News of the hack and subsequent data leak from firms using Amital Data's Unifreight software was revealed in a filing to Israel’s stock exchange by Amital's stockholder Orian.

Meanwhile, a hacking team called Pay2Key, which in the past was linked back to Iran, made a public statement regarding an attack it launched in September against yet another Israeli firm – Habana Labs, which is owned by Intel and provides AI solutions. The hackers said they had full control over the Israeli company’s system, including access to sensitive data.

‘40 firms hit’

Regarding the Amital attack, the current assessment is that in the attack on the company and those using its software, a massive trove of information was stolen, though it is still unclear which information was taken. Amital’s website is not live currently and in addition to Israel’s cyber authority, the private cyber firm Comsec is consulting the company as it reels from the attack.

Amital said that “two weeks ago we identified offensive attacks against our systems and clients’ computers. The incident is just one link in a chain of incidents taking place simultaneously at the national level that are being followed closely by the cyber authority. As is our protocol, our defenses are now being bolstered and a special situation room was set up to address any issue that arries. The firm is using cyber experts to contain the incident and at this point the damage seems localized."

Two weeks ago, Shirbit, a prominent insurance company, was targeted in an attack that the cyber authority described as a form of “extortion” that others said was motivated by ideological motives more than financial ones.

Orian told Israel’s stock exchange that “last week we received a warning from one of our software suppliers (Amital) that it had been involved in a cyber event and that information stored on one of our servers was leaked alongside that of 40 other companies.”

“The leak was closed within a number of hours and after an investigation which included Amital we have an assessment about which information was leaked. However, we cannot confirm for certain the identity of the leaked information. Orian is working with Israel’s cyber authority and will continue to bolster its cyber defenses and prevent such incidents from happening in the future,” it told the stock exchange.

This type of attack is termed a “Supply Chain Attack” in which sensitive information held by a certain company is reached indirectly, through external programs provided by their suppliers. Software providers are usually the main target of such attacks and this “attack vector” as cybersecurity researchers call it is very hard to defend against.

The attack against Amital's Unifreight program is not considered a ransom or extortion attack attributed to criminals, but rather it is being treated as a state-run operation, with Iran being the main suspect.

A slide from a Check Point report on how bitcoin from a ransomware attack eventually made its way to Iran.Credit: Check Point

Cybercrime or Iranian op?

Last month, Check Point, Israel’s most famous online security firm, revealed an extortion attack targeting Israeli firms that was linked back to Iran, or at least Iranians. That attack, known as Pay2Key, targeted Habana Labs, which is owned by Intel and develops processors for AI.

On Sunday, the hackers revealed some of the data they stole, publishing on their Twitter what seems to be images from the firm’s internal system, revealing data which if true would be precious to the organization, as part of their attempt to extort the company. Additional data was leaked onto the darknet.

“Based on what we’ve seen in the past few hours, the attacker claims they have ‘domain control’ - or the ability to control their victim’s network,” says Dean Bar, a partner in the superintelligence firm HackersEye.

“The information the hackers claim they have included internal documents, file and router names, and a whole lot of original code, including that which is the company’s actual product and developments. For example, the hackers claim they have thousands of original files regarding a product called Goya, including the design of one of the processors Habana Labs is developing.”

Haaretz has reported in recent weeks about a number of cyber attacks and the increasing spillover of techniques used by cyber criminals into the offensive cyber arena. Regarding Pay2Key, Lotem Finkelstein, head of cyberintelligence at CheckPoint, told Haaretz’s Omer Benjakob that “ransomware is immediately associated with cybercrime and money, and rightly so. However, ransomware serves more motivations rather than solely financial gains.

“We have seen, for example, hacktivists using ransomware to carry specific messages to the targeted organization, or to serve a certain idea,” he says. “This was the case with the Pay2Key ransomware, where an unknown Iranian group of hackers attacked mainly Israeli companies with cutting-edge ransomware. While doing everything they could to collect the ransom, the geopolitical characteristics [of the attack] also suggest the hackers were also ideologically driven.”

By following the money paid to the cybercriminals, Check Point’s research department managed to track the bitcoin paid by other vicitms of the Pay2Key attack back to Iran. “We followed the sequence of transactions, which began with the deposit of the ransom and ended at what appeared to be an Iranian cryptocurrency exchange named Excoino,” the company said in its report.

“Excoino is an Iranian company that provides secure cryptocurrency transaction services for Iranian citizens,” the original Check Point report added. The site requires a valid Iranian ID card to be able to transfer funds, indicating that at minimum these attacks involved Iranian nationals at some level. The firm said they suspected that Iranian hackers with very advanced skills were behind the attacks.

Click the alert icon to follow topics:



Automatic approval of subscriber comments.

Subscribe today and save 40%

Already signed up? LOG IN


Palestinians search through the rubble of a building in which Khaled Mansour, a top Islamic Jihad militant was killed following an Israeli airstrike in Rafah, southern Gaza strip, on Sunday.

Gazans Are Tired of Pointless Wars and Destruction, and Hamas Listens to Them

Trump and Netanyahu at the White House in Washington, in 2020.

Three Years Later, Israelis Find Out What Trump Really Thought of Netanyahu

German soldier.

The Rival Jewish Spies Who Almost Changed the Course of WWII

Rio. Not all Jewish men wear black hats.

What Does a Jew Look Like? The Brits Don't Seem to Know

Galon. “I’m coming to accomplish a specific mission: to increase Meretz’s strength and ensure that the party will not tread water around the electoral threshold. If Meretz will be large enough, it will be the basis for a Jewish-Arab partnership.” Daniel Tchetchik

'I Have No Illusions About Ending the Occupation, but the Government Needs the Left'

Soldiers using warfare devices made by the Israeli defense electronics company Elbit Systems.

Russia-Ukraine War Catapults Israeli Arms Industry to Global Stage