'Iranian Attacker Impersonating Russians': Inside Recent Attacks on Israel

‘The operations undertaken by Israel in and against Iran are driving them nuts, and cyberspace is an easy and simple way for them to retaliate’

Send in e-mailSend in e-mail
Send in e-mailSend in e-mail
File photo of an oil tanker after it was attacked at the Gulf of Oman. The shadow war between Israel and Iran that’s taking place on the ground and in cyberspace
File photo of an oil tanker after it was attacked at the Gulf of Oman. The shadow war between Israel and Iran that’s taking place on the ground and in cyberspaceCredit: HANDOUT / REUTERS
Amitai Ziv
Amitai Ziv

The last several days have seen another wave of attacks on Israel’s cyber-homefront. The source, according to experts: Iran. The background: The shadow war between the two countries that’s taking place on the ground in Iran and includes mysterious explosions and assassinations, as well as attacks on ships and in cyberspace. 

On Friday, there were reports of cyberattacks on the logistics company Veritas and on Sunday another on Match Retail, which has the H&M and COS franchises for Israel. The attackers stole a lot of data from the two companies –  some 110 gigabytes of information from Match Retail and about nine gigabytes from Veritas. 

The attacks, undertaken by a new group calling themselves Networm, issued the targeted companies an ultimatum: Pay us hundreds of thousands of dollars, or the data we stole will be released online.

Networm may actually be Pay2Key - a group of allegedly Iranian hackers involved in an attack on over 80 Israel firms a few months agoCredit: Screen capture

However, experts agree that it wasn’t an ordinary case of cyber-ransom aimed at earning the perpetrators money but is designed to embarrass Israel. Shay Pinsker, of the company OP Innovate, explained it this way: “We believe it is an Iranian attacker impersonating a Russian attacker. It seeks to harm Israel through the supply chain.

>> Israel prepares for Iranian cyberattack. But here's the real threat <<

“The attacks began around April 18, apparently for out of political motivations. The attacker asks for a ransom, but on the basis of his wording during the negotiations, it was clear that he wouldn’t decrypt the files. More than that, there’s evidence from the codes that the functions that were used corrupted but didn’t encrypt the data, which supports the idea that this wasn’t a matter of money.” 

Networm hackers claim to have hit H&M Israel and Veritas Logistics as part of new wave of cyberattacks against israelCredit: Screen capture

Pinsker believes that the Networm group is really just a front for the Pay2Key group that targeted some 80 Israeli organizations in the final months of last year. “The current malware is an evolutionary advance on the November version,” he said.

A third cyberattack was made on the nonprofit nursing organization Matav, but it doesn’t appear to have been part of the Iranian campaign against Israel. Still, the attacks that have been made public reveal only part of the overall situation: There are many that have occurred under the radar, and more will happen.

Blast from 2020 

What is happening here? Boaz Dolev, of the cybersecurity company ClearSky, has been following Iranian attacker groups for several years.

“Starting in the middle of last year, there were a number of Iranian campaigns waged against Israel –  one by the Pay2Key group, a second by Black Shadow [the group that was behind the attack on the Israeli insurance company Shirbit] and others that didn’t get publicity but were quite large,” Dolev explained.

Boaz Dolev of ClearSky: These attacks are part and parcel of the much more serious fighting underway between Israel and Iran in other arenas Credit: Lavie Ben Baruch

“The operations [undertaken by Israel] in Iran had driven them nuts, and cyberspace is an easy and simple way for them to retaliate. This is part and parcel of the much more serious fighting underway in other areas. Towards the end of the year, we all worked together –  cybersecurity companies, the cybersecurity establishment and others – and more or less exposed their operating infrastructure –  all of the IP addresses they used for attacks, all their attack tools and domains. Then, all the anti-virus and firewall companies put this into their systems to safeguard them –  it was no longer possible to use these tools.

“The time it took them to recover and set up new infrastructure was about three months. Even in our customer alerts, we wrote that there would be a quiet period in the first quarter and then we would see the start of new operations.” In other words, it took the attackers a few months to renew their mechanisms and re-equip, and now they’ve resumed their activity. “Wonder of wonders, in the last two weeks we’ve seen at least three Iranian groups returning to operations,” said Dolev.

Who are the groups and what are they attacking?

“There’s a group we call Charming Kitten. It mainly attacks university researchers, those researching Iran and others. The second group is Networm, and it mainly attacks logistics companies and supply chains in Israel. We checked their code and 80% of it is identical to what they were using last year.

An alert from the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency is photographed on Tuesday, April 20, 2021.Credit: Jon Elswick,AP

“It’s not really a ransom campaign, even if they are engaging in extortion and attempts to get money – rather, it’s a campaign designed to embarrass and deter Israeli companies. They upload information on their site only data from Israeli companies. I don’t know of ransom groups that operate against only one country –  these gangs go to wherever there’s money. It’s the same pattern as Pay2Key in terms of tools and everything. In any case, they have not made any amazing technological breakthroughs.

“The third group is Black Shadow, who we’ve seen have revived their attack mechanism but haven’t yet seen them mount a campaign.”

Lior Frenkel, CEO of the cybersecurity company Waterfall and chairman of the Israeli High-Tech Association’s Cyber Forum, says that to a large degree Israel has left itself exposed, virtually begging for a thief to exploit. “The situation is asymmetrical –  high-level attack tools are available outside and on the other side, our side, large parts of the economy aren’t protected, or protected below a reasonable threshold.

“So, the minute they have the opportunity and the motivation, there are going to be attacks. I hear from companies about an exponential rise in cyberattacks –  it doesn’t make any difference whether the motivation is criminal or terror, or a combination of the two. As long as we don’t enhance our defenses and reach a point that it isn’t so easy to attack and penetrate our systems, the rate of attacks won’t go down.”

David Amit, a founding partner of 10Root, said “the next wave of attacks is just a matter of time, and organizations need to prepare in particular for denial-of-service, data leaks and data loss scenarios. You need to ensure that you have a business-continuity plan and a reliable backup system, to map critical data assets, to make sure the controls that are supposed to protect you are working and, of course, to frequently update your site’s cybersecurity.”

Match Retail said in response: “We’re investigating the incident.”

Matav said: “In recent days, the organization uncovered an information-security incident. The incident didn’t include data leaks from the organization, thanks to the preparedness of our defense, backups and the real-time support that we get from One Security on a regular basis. The incident was addressed immediately and without any harm to the organization’s day-to-day operations.”

Veritas did not comment.

Click the alert icon to follow topics: