Every week approximately a thousand institutions in Israel are hit with a cyberattack. It is a constant barrage of computer infiltrations. Most are ransomware attacks, and the motive was money.
In 2021, several incidents featured attackers demanding ransom, but their behavior ran counter to typical ransomware heists and suggested that lurking beneath the surface, they had different goals. They made their demands with extroverted gusto, like they intended their crime to be a public act. The targets were mainly mid-sized companies such as dating apps and insurance companies, large enough to cause public concern but not large enough to spark action from the Israeli state. Most telling, the groups behind the attacks have been linked to Iran to varying degrees.
“I call this a hybrid threat. There are attacks that are considered political-cyber-offensive, which are by states or by non-state actors but with a political agenda,” said Gabi Siboni, the head of the cyber security program at The Jerusalem Institute for Strategy and Security. “And there are cyber criminals. But what you can see is that it’s getting mixed.”
This new generation of ransomware attacks underscores how a new front in the conflict between Iran and Israel is developing. Ostensibly financial crimes, ransomware has become a tool of statecraft with the geopolitical aim to damage the social bonds of Israeli society and public trust in the country’s institutions, rather than to damage infrastructure or extract a financial bounty.
While the Israeli Cyber Directorate has issued multiple recommendations and warnings about this new “wave of attacks,” the responsibility to protect private computer systems still rests with companies. The advent of geopolitical ransomware exploits a structural vulnerability: a route to damage the social cohesion of a country via geopolitical attacks that bypass state defenses.
Last October, in what is called the “Atraf” hack, Black Shadow, a group with links to Iran, hacked into the servers of CyberServe, an Israeli hosting company, accessing websites and applications of the company’s customers.
Among its customers was the LGBTQ dating app, Atraf. The application’s databases were not encrypted, making it easier for hackers to get their hands on very sensitive personal information. Before asking for the ransom, the group dumped tens of thousands of records from the various sites it had penetrated. The leak included a thousand user profiles in Atraf’s customer database that disclosed information such as names, sexual orientations, unencrypted passwords, locations and HIV status.
The attackers demanded $1 million in exchange for the encryption key and threatened to leak more information.
Ransomware’s parallels with disinformation are striking. While most high-profile ransomware attacks are in the U.S., U.K., and Europe, the vast majority of attacks are in countries facing political instability, like in Latin America and Africa.
Many digital hostage-taking organizations originate from the same hotbeds where disinformation campaigns are generated, like Russia, Ukraine, North Korea, and the Philippines. Ransomware travels the same political divisions as disinformation campaigns, trafficking in the exploitation of economic inequality, fear of immigrants, and racial resentments to undermine public trust in institutions and belief in social stability.
Where disinformation uses noise and incoherence to sow doubt and spread division, ransomware does something similar: it, too, is an agent of chaos. It may look like just a way to make a crypto-buck, but its effects, very often intentional, are much more profound.
The CyberServe hack had little resemblance to a classic ransom attack. Everything was very public. The group used Telegram and RaidForum for their announcements instead of directly establishing communication with the company. Typically, financially motivated actors seek private negotiations, but the Telegram groups run by Black Shadows look like a public campaign — complete with drop countdowns and cheery messages.
‘The nature of this wave of attacks is actually to seed fear and sense of terror in the Israeli people by attacking high-profile targets or ones that can generate enough media attention.’ said Lotem Finkelsteen from Checkpoint, a cybersecurity company. This explains the public behavior of the attackers. “They put more focus on echoing the attack, embarrassing the victim and developing expectations in the Twitter/Telegram followers than getting a financial payment.”
Iran and Israel are bitter foes. After the state of Israel came into existence in 1948, Iran was the second Muslim-majority country to recognize Israel as a sovereign state. Iran retracted recognition after its 1979 revolution and regularly threatens Israel with total annihilation. The cyber realm often reflects real-life tensions so, once high tech entered our lives, the two foes quickly picked up cyber weapons.
The countries’ long-running cyber conflict has taken many turns but until recently, the tit-for-tat hacks have mainly concentrated on military infrastructure. This is changing. Both parties are increasingly targeting civilian infrastructure and private companies. Recent hacks attributed to Israel include attacks on the University of Tehran and on a system that allows millions of Iranians to use government-issued cards to buy fuel at a subsidized price. Iran has gone after Israel’s water. Last April, six facilities were targeted in an attempt to increase the amount of chlorine in the water supply to dangerously high levels.
According to Boaz Dolev, the CEO of cybersecurity company ClearSky, Black Shadow’s previous attack on the Israeli insurance company, Shirbit, was also confounding. After stealing the company’s data, the attackers wiped the information off the servers instead of encrypting it. “This is not something a ransomware group does,” he said. After demanding $1 million in bitcoin, Black Shadow refused to give the company a four-hour extension past its deadline to provide a payment in full.
An Israeli cyber negotiator, who requested anonymity to maintain a nonpublic professional profile, also doubts Black Shadow’s motivation. “I’m not a cyber analyst, I’m a negotiator. What I can identify from the beginning is whether the motivation of the person is political, which means to cause havoc, uncertainty and to undermine public confidence in the system. With Shirbit it was very clear that it was a politically motivated attack rather than financially motivated one.”
This cyber negotiator recently had come across similar fishy attacks on Israeli companies. At one company, he started negotiating with the hacking group called “Pay2Key.” At first, it looked to him like a typical ransom attack, but then he noticed red flags. For example, the group was a previously unknown actor yet they used unusually aggressive language.
Nevertheless, the company decided to pay the ransom. Pay2Key did not provide a data decryptor. To get to the top in the ransom industry, reputation matters. Taking the ransom and in return not providing the decryption key so that a company can retrieve its data is very bad for repeat business.
After several encounters with unusual ransomware actors, the cyber negotiator began looking more closely into the threat they posed. Technical analysis of the Pay2Key attack by Dolev’s cybersecurity company, ClearSky estimated “with medium to high confidence” that Pay2Key is a new operation conducted by an Iranian group called Fox Kitten, an Advanced Persistent Threat, the name for an opaque actor, typically linked to the government, which gains unauthorized access to a computer network and remains undetected. Pay2Key is believed to have begun a wave of attacks against dozens of Israeli companies in July and August, 2020.
The attacks are not limited to Israel. The FBI and the U.S. Cybersecurity and Infrastructure Security Agency recently identified a new Advanced Persistent Threat group associated with the Iranian regime involved in “data exfiltration or encryption, ransomware, and extortion” in the U.S. and Australia.
In fact, yet another group linked to Iran has had an unusual modus operandi. In June 2021, a group called Deus claimed that they had obtained 15 terabytes of data from Voicenter, a call center company. The data contained information belonging not only to Voicenter but also 8,000 companies that used their services. The hackers posted samples of the information, security camera and webcam footage, photos, ID cards, WhatsApp messages, emails and phone calls.
They used public channels, raised their ransom demands every 12 hours, and announced that the data was for sale even before the negotiation period was over. In this way, Iranian advanced persistent threat groups play a ransomware poker game: trying to inflict maximum social and political damage without triggering state retaliation.
Israeli companies are reluctant to acknowledge cyber attacks from Iranian groups precisely because the publicity could generate nervousness and doubt about the hardness of Israel’s defensive shell against its powerful enemy. This lack of transparency, however, also creates vulnerability, say Israeli cyber security experts. “We still do not have enough information to link these groups to the Iranian government, but even if these direct links exist, the ransom tools used in these attacks are quite conventional and small,” said Einat Myron, a cybersecurity expert in Israel.
“Medium-sized companies can certainly do a better job at protecting against them,” Myron said. “Maybe avoiding playing into foreign actor’s games could be the new motivation for business owners to start taking data protection seriously.” – Rappler.com
Masho Lomashvili is a researcher at Coda Story.
This article has been republished from Coda Story with permission.