From Shirbit to Amital - one after another huge Israeli companies were attacked by hackers • Cyber experts claim: Iran is behind the attacks • The big concern: the corona vaccine system is also in the spotlight • The threat "
Photography:
GettyImages
Public practice in vaccines against Corona has focused in recent weeks on its effectiveness, the possible dangers to vaccinators in the short and long term and the logistics involved in the complex operation - transporting the vaccine, keeping it in the freezer and prioritizing the vaccinators.
But one area is not talked about: cyber.
Behind the scenes of the huge operation, which is expected to start early next week, there is an extensive effort to protect the immune system from cyber attacks.
"There have already been several attempts in the world to disrupt the production and supply processes of vaccines," says Rafael Franco, head of the defensive arm of the national cyber system.
"It's a matter of human life, which requires us to make sure the array is protected. We don't take any risks."
Cyber experts we spoke to this week warn that strong or skilled attackers can succeed in the mission.
It does not require a direct attack on national infrastructure, which is more protected, but rather on a less powerful factor in the chain: from the supply and delivery companies involved in the operation, to the hospitals and health funds.
"I am ready to put my hand in the fire that, if we examine, we will find loopholes in the defense system around quite a few of them, through which it is possible to penetrate and cause damage," said a senior official in one of the largest cyber defense companies in Israel.
The vaccines may be protected, but Israel is far from protected.
The latest attack on the insurance company Shirbit, and later on Amital, which provides software services to companies in the field of logistics, illustrated the enormous damage that can be caused as a result of cyber attacks.
Apart from them, there were attacks on other Israeli companies, which were not published.
As stakeholders try to minimize these events, the answer of all professionals to the three main questions is uniform, and very troubling: yes, Israel is in danger;
No, Israel is not protected;
And yes, we need to be concerned.
In recent months, Israel has experienced a sharp increase in the volume of cyber attacks at all levels: national, business and private.
There are several reasons for this.
First, everyone works from home and connects to the membership systems remotely so they can continue working.
Many companies did not bother to back up the process with proper security, and opened a loophole calling for a thief.
Sometimes it is enough to use the permissions of an employee who is at home to enter the company's computers, roam them freely and steal or delete information.
Second, the world is increasing its dependence on computers and technological systems.
The potential is endless and very tempting.
The main profit center of criminal organizations has long since moved from drugs, gambling and prostitution to cybercrime.
It is less dangerous and much more profitable.
Countries have also realized this potential and are working to realize it.
The most prominent of these is North Korea, which employs hacker groups (some of them at a very high level), which carry out attacks for ransom purposes.
The third reason is that cyber has no boundaries.
Unlike the old, physical world, the cyber attacker does not have to be present at the scene.
He can sit in a hotel room at a ski resort in Europe or on the beach in the Caribbean, and attack from there.
He will usually require the money in a virtual currency, usually Bitcoin, so as not to be exposed.
In Israel, there is another, fourth reason that is unique to us - attacks by enemies.
The most prominent player in the field is Iran, which operates, under the Revolutionary Guards and its Ministry of Intelligence, several attack groups under different names.
In the past year, attempts to attack urban water infrastructure, and in the past on additional arrays, have been identified.
The last reason for the increase in the number of assaults is also the most disturbing: apathy, or lack of awareness.
For some companies this is due to the "it will not happen to me" approach, and for others from a lack of understanding, or worse - from trying to save: cyber protection costs money, sometimes a lot of money, and it does not make a profit.
"They just do not internalize the threat," said Eric Barbing ("Harris"), former head of the GSS's cyber division.
Company owners, boards of directors and executives do not understand the magnitude of the danger and do not act accordingly.
"Most executives at companies will come today and ask what the biggest threat is to them - they will talk about hacking, fire, economic depreciation. It is doubtful if anyone will talk about cyberattacking. "Managers and directors are on trial for negligence in maintaining the systems and information."
Most companies are content with minimal protection - "guard at the gate".
A basic computer protection system that is incapable of dealing with advanced attacks.
Attackers skip it easily, usually through phishing - an attempt to steal information, by sending an email or SMS, which allows the attacker to take control of the device and perform various actions - from stealing money to other actions under the guise of the original identity holder.
It doesn’t just happen to big companies.
Every law firm or accountant should think about what would happen to him if all the information held on his computers was stolen, deleted, disappeared or encrypted;
Every company needs to take into account that this is what might happen to its customer base or suppliers;
And each of us has to wonder how he will react if all his personal information suddenly disappears from the computer or cell phone.
Most of us will be willing to pay almost any amount to get our information (and privacy) back.
For this reason, most heresy attacks also end in payment: entities prefer to close the affair with minimal damage, and move on.
The victim is faced with three main options: pay and move on, ignore and move on, or contact the authorities.
For the most part, the police will not be able to assist.
The attackers are unknown, their location is unknown, and the investigation could take a long time.
Since most entities have no privilege to ignore and move on, a large portion of them decide to pay.
Sometimes it is accompanied by negotiations with the attackers (even big companies take experts who run this dialogue for them, in an attempt to reduce the amount or limit the damage, as was done in the case of Shirbit), but the result is almost always the same: money paid, and cash.
Israel has attacked municipalities preferring to pay, so as not to be disclosed that is not maintained well enough for the information of their citizens. there are also office buildings, parking lots or elevators locked in ransom: some paid, others were forced to format entire systems from scratch and to compensate customers affected.
the attackers, by the way, make sure to usually require Reasonable sums that the owners of the company would not hesitate to pay to close an interest. This small business could be several thousand dollars or tens of thousands of dollars, and a very large business - hundreds of thousands. Probably Shirbit would have been happy to pay the 50 bitcoin (million dollars) demanded by the attackers, That the affair would have closed quietly and quickly; the image and economic damage caused to it by the publication of the break-in was much greater. At the same time, it would now be required to invest in what it did not do in the first place - properly protect its computer systems and information.
The attack on Shirbit is probably the largest and most severe that an Israeli company has suffered to date.
Its managers may have tried to dwarf the dimensions of the incident, but experts believe its importance cannot be overstated.
"This is an event with the potential for heavy security damage," Barbing says.
"As someone who has been engaged all his life in security, it is clear to me what can be done with such a mountain of information, which falls into the hands of a hostile state."
Intelligence organizations are building files.
Every detail, on every person or subject, is carefully collected and tagged.
Databases like the one stolen from a wand are a dream for them.
They have all the details you can ask for: full names, names of relatives, addresses, phones, ID numbers, credit card and bank account numbers, license numbers, and more.
At the low level it allows an attacker to steal information, money or identities.
In Israel, for example, the remotely accepted identification in most systems is two-stage - a full name, followed by the date of issue of the identity card.
Anyone who holds this information can easily impersonate the original person and act on his behalf.
In the wand the potential damage is even greater.
In recent years, the company has been insuring all civil servants - including the security bodies.
From here you just have to take the names of people, cross with the stolen databases, and know everything: where the specific person lives, to whom he is married and almost every other detail that will allow him to close a circle.
In an era where Iran is seeking revenge for the elimination of its nuclear projector, such a pool makes its life much easier to hit an Israeli target.
Officials at several cyber companies said this week that the national cyber system was trying to downplay the severity of this attack.
"They are behaving as if everything is fine, when everything is very wrong. This is puzzling. Apparently, this is a golden opportunity for the cyber system to turn a table and tighten regulation."
The criticism also concerns the head of the formation, Yigal Ona, who at the height of the affair flew for four days to a conference in Dubai.
"Would anyone have imagined that the GSS chief would fly abroad in the midst of a mega-terrorist investigation, or that the chief of staff would have flown in the middle of a security incident on the border?" Says a senior security official who works closely with the formation. In the field of cyber in Israel, and the person in charge of the national system traveled from here.
This is unlikely. "
In response to the allegations, Rafael Franco, who works under the auspices of Ona, says:
In the cyber world, geographical location does not matter, and an event can also be held from the other side of the world.
Yigal managed the event and was involved and available for everything. "
The investigation into the incident in Shirbit has not yet been completed, but in unquoted conversations, sources involved in the investigation claim that the BlackShadow group, which identified itself as the perpetrator of the attack, is connected to Iran.
A similar claim is also made in the context of the break-in at Amital.
If this is true, it can be assumed that the information stolen from Shirbit's computers has already been transferred (or sold) to Iran.
This is also the working assumption of the professionals in the cyber system and in other security bodies, which are involved in the investigation.
Quite a few countries, both advanced and enlightened, work with assault groups so as not to get their hands dirty in illegal actions, and to keep away from themselves evidence in case things get complicated.
Shirbit has an interest that this will be the conclusion of the official investigation.
Thus, it can claim that this is a security, national event, and that it was attacked as an affiliate of the State of Israel, so that the responsibility - also on the side of the damage and its financial derivatives - should apply to the state, and not to it.
This is of considerable importance in her efforts to defend herself against the sequence of class actions that have already been filed against her.
"I doubt such a claim would help them," Barbing says.
"Anyone who is familiar with the affair knows that there is a long list of omissions here. I estimate that the information stolen in this incident is much larger and more significant than what was published."
Shirbit is subject to the Information Security Regulation of the Capital Market, Insurance and Savings Authority, as well as to the privacy regulations of the Privacy Protection Authority.
It is the national cyber system that dictates the regulation, which is carried out through the authority, similar to the situation in banks.
However, the banks voluntarily imposed strict conditions on themselves several years ago, including the appointment of professionals and the purchase of a variety of protection software.
In the case of Shirbit, it seems that not all the necessary steps have been taken.
Einat Miron, an expert in preparing for and dealing with cyber incidents at business events, who analyzed the Shirbit event in all its aspects, defines it as "the remedy affair of the cyber world."
It enumerates a long list of failures on the part of the company.
The attack itself was carried out through a known security breach, which was used to attack other companies;
The national cyber system warned of this as early as 2019.
This is a solution that allows the company's employees to connect from a remote workstation or via the mobile device, in which the attackers identified a weakness and through which they penetrated the company's computers.
This vulnerability has some known software updates and applications (patching) that have not been updated or addressed as required.
The attackers have been on the company's computers for a long time, some estimate that even two months or more.
During this time they stole vast amounts of information.
According to Meron, this floods Shirbit's problem with monitoring events.
Large companies tend to use command and control centers to monitor information security incidents, or as they are known in professional language - (SOC (Security Operating Center).
But Shirbit hired services from SOC that operated only during the work week, not on weekends. "This is a particularly puzzling decision." "It is known to all those involved in the field that weekends and holidays, when companies work with small teams, if at all, are the ideal days to carry out attacks.
" Moreover, the service for which the company paid included only monitoring capabilities, without the ability to perform remote assistance and support. such a decision is, in itself, evidence alleged that the company management has chosen mainly to show the regulator which realized a prompt, nothing more. "
Meron suggests that Shirbit chose manager of information security with no background or experience fit for an insurance company, part time." according to the profile on LinkedIn own, it is Bmfth Android completing a course information security College HackerU, "she says. Miron attacked the conduct of the Company's management Htksortit-tziborit, No. communicate with customers, excluding SMS message and response was distributed to the media. There was no experienced professional hand this kind of crisis management".
similar That in one issue Shirbit acted correctly: in her
Decided not to pay a ransom.
Not because of pride or to save money, but because the information has already been stolen, and probably also passed on.
In any case, the fear was that the attackers would remain in the company's systems and carry out a "rolling ransom" - they would extort more and more money from the company.
Therefore, on the advice of the cyber system, the company decided not to pay, and invested most of its efforts in rehabilitating the systems and the information that was in them.
Security experts at civilian cyber companies agree that basic actions could have prevented the incident at Shirbit.
"It was a not very sophisticated attack, exploiting vulnerabilities in products and a security system that is not one of the best we have seen," says Lior Dib, CEO of Cyberizen, which protects endpoints in organizations and performs detection, prevention and neutralization of cyber attacks. A small treasure. "In the
past, Dib says, the approach was to block as much as possible. Build fences, hoping the attacker would not be able to cross them. Today, the approach is different: the basic working assumption is that the attacker will be able to infiltrate. Hermetic immunity from attack.
"The way to deal with this is to identify the attacker as quickly as possible and flip him out.
This is exactly what did not happen in the wand.
From the moment the attacker entered, he stayed on the computers for as long as he wanted. "
He said," The situation in Israel is very bad.
A great many companies, including large ones, are defending themselves the old way, just like Shirbit.
Many companies do not know how to defend themselves or do not take the matter seriously enough. "
Matan Lieberman, one of the founders of Sampris and its operations manager in Israel, believes that a company should not ask itself if it will break out, but when." There are three steps to take: first, To prevent an attack - be constantly monitored by computer networks.
The second, during the attack - to know how to identify it, stop it and minimize damage.
And the third, after the attack - to rehabilitate the system quickly, making sure it is clean and reliable, and that the attacker does not stay in it and continues to operate. "
Lieberman warns that companies that will not defend themselves could be severely damaged. This is what happened to Sony, which was attacked by hackers. Koreans, or the Mandalay hotel chain in Las Vegas, whose systems were shut down for weeks, and even after they were restored it became clear that the burglar was still staying inside. "Most companies do not understand where the problem is.
They're just not there.
Some companies hold information on tens of thousands of Israelis who, at best, employ a person in charge of cyber along with ten other areas of responsibility.
It's not serious.
The regulation towards various bodies, such as insurance companies, is not always clear enough, and regarding smaller companies there is no regulation at all.
"" I would bet that in any company, including those that seem to be properly secured, there are quite a few employees who are authorized to perform actions they are not supposed to do. or be exposed to information they should not see, "says Eric Brbing." An attacker could use it as a door easy entry system. "
Lieberman also points to the need for greater transparency on the part of the companies that were attacked, not only for the public, but also to raise awareness in He cites as an example the Danish shipping giant Maersk, whose cyber attack caused enormous financial and operational damage. "The CEO slept in his office for 72 days in a row until they overcame the crisis. But they made sure to publish all the details of the incident, in full transparency."
In Israel, the situation is different.
Most of the companies that have been attacked try to hide this.
Shirbit's media conduct during the event was also amateurish, and certainly did not help increase confidence in her and her moves.
Some sources interviewed for the article also wondered why the state did not make sure in advance, before contracting with it, that there would be strict retention of the information.
Although the start-up nation produces an infinite number of cyber solutions, some of which are world leaders, implementation in the field is lacking, to say the least.
"Our culture is not successful," says Barbing.
"There is no discipline. Whoever waits for the state to save him is wrong. The state is heavy and slow, and by the time it moves, the damage may already be done. Companies and managers must understand that they must take care of themselves, because no one will do it for them."
Nadav Avital, head of the research group at the information security company Impreva, also warns against the low awareness in the companies, as expressed in the Shirbit event.
"The information security situation in the country is not alarming, to say the least. Cyber is not a top priority for executives because it costs money and does not make money. Even companies that defend themselves do it just to mark V, and it is not worth much.
" "There is a gap between the relatively high regulation on information security in supervised organizations and other companies in the economy, including those that collect sensitive and personal information about us, which is not supervised
at all." "We are not talking here about Yossi's grocery store on the edge of the neighborhood, but about a large, governmental body, which was simply not high on its list of priorities."
Imperva warns of a significant increase in cyber attacks in recent months and attempts to reach sensitive information. : In the US there has been a recent wave of attacks by government ministries and giant companies (including security companies), some by foreign entities.
In one of the attacks, on the software security company FireEye, attack tools were stolen through which intrusions were carried out on the company's customers, including huge bodies.
The decision to attack this company - just like Amital - is due to the ability to reach many other companies through it, which it holds the entrance ticket to their systems.
"Instead of attacking a specific company, you are attacking a supply chain company," explains Lior Dib.
Dib divides the attacks into three main groups.
The first is automatic attacks by hackers, who are constantly looking for vulnerabilities through which systems can be infiltrated, especially for ransom purposes.
The second - attacks by assault groups, which use sophisticated methods to attack larger bodies, also for ransom purposes.
And the third - attacks on countries, for which cyber is a tool for gathering intelligence, implanting tools in systems and harming the enemy.
Last week, Cyberzen uncovered a Hamas-linked group of attackers, known as Gaza Cybergang.
The attacks were aimed at senior officials in Saudi Arabia, the Emirates, Egypt and the Palestinian Authority, whose language is to download malware using phishing tools.
The attackers infiltrated the victims' social networks, such as Facebook, Google Drive and Dropbox, and tried to gather sensitive information - including about the secret meeting that Prime Minister Netanyahu had about two weeks ago with Saudi Crown Prince Ben Salman in the Saudi coastal city of Ni'um.
Although Hamas is very active in the field, it is the Iranians who are particularly active in the Israeli space.
In the US these are the Russians and the Chinese, and around the world also the North Koreans. "If in the past the attitude was to pay a ransom because there is nothing to do against it, today there are quite a few ways to deal with it," says Dib. It.
What is missing is an understanding of the threat in advance, and not in retrospect. "
The common concern for all experts is that now, following Shirbit's incident, attack groups will also understand that Israel, and its key companies, are less protected than they thought. According to Nadav Avital," "I'm afraid this is the beginning of a trend."
Shirbit commented:
"Shirbit invested millions of shekels in the field of protection of cyberspace and complies with all regulations and subject to regulation, so in terms of managing databases. The company was to periodic review by the Capital Market Authority.
" Shirbit director of the event since its inception through leading experts in the field of cyber and crisis management From the moment the incident is monitored, the company and its cyber experts work in cooperation with the National Cyber Network, the Israel Police and other government agencies. The information that leaked following the hostile cyber attack affected about 500 of the company's customers, with each of them created Initiated contact, and the company's representatives assisted them as needed.
"Shirbit returned to full activity with additional protection for its systems, which meet the most stringent international standards.
The computer systems and databases were upgraded with additional layers of control and monitoring, as was the company's website, which went live earlier this week. "√
shishabat@israelhayom.co.il
"The public can sleep peacefully"
"We are recognizing a global upward trend in cyberattacks," said Rafael Franco, head of the defensive arm of the national cyber system.
"Only in the last three months have we seen attacks on the US Treasury, DHS, information security company FireEye, the second largest software company in Germany AG - and these are just the big ones. Not everything revolves around us, we are part of a worrying trend of attacking government institutions, financial institutions And supply chains and security.
"Shirbit's event is not pleasant, but in risk management at the national level, it should be taken in proportion.
Have vital infrastructures been damaged?
No.
Was human life in danger?
No.
Has essential service been discontinued?
No.
In the context of a country, this is an attack at level 4. Above it there is damage to critical infrastructure such as electricity, water and gas at the top level, and below that are the integration companies of information technology (IT), and banks and hospitals. "
In the cyber array, a sharp increase in attempted attacks has been identified in the past year.
"We prevented hundreds of incidents this year. There were at least three incidents like that of Amital - an attack on companies involved in the supply chain - and they were halted."
There is no damage to the Amital event?
"We are not currently identifying any damage. There is a lot of fog and smoke. We published the event on our own initiative to be transparent and efficient."
And at a Shirbit event?
"This incident is still under investigation. It is not over in an instant. It is like a GSS investigation, which can take weeks and months, until we reach a full crack."
What was the motive?
"Financial, but also malicious.
Sow panic.
The attackers also gain insider trading and the fact that advertising leads to the pressure of customers on the company to which you pay. "
Behind BlackShadow by Iran?
" You can not know for sure if there is a state agency, and we know, I do not want to deal with it. "
There are serious allegations about So Shirbit was negligent and did not do her duty. That you issued a warning last year about weakness, and they did not do what was required to close it.
"As mentioned, we are still under investigation, but this incident must not be disconnected from the wider context.
It's an unpleasant privacy event, but what's important right now is to help Shirbit overcome it and get back to business as soon as possible, while at the same time vaccinating other insurance companies, to ensure they are not harmed.
In recent attacks there has been no technological sophistication. "
The way you work, of issuing guidelines through regulators, is the right way?
" We work through regulators because we do not know the specific culture and language, in this case of the capital market.
We give them the picture, the intelligence, the threats, and they issue the guidelines.
In this case, too, appropriate guidelines have been issued. "
Franco says that in 2020 alone, the cyber system issued 290 warnings of various cyber threats." This is a dramatic amount, which indicates the magnitude of the threat, and these are only the most serious warnings.
We manage risks here and try to spread the warnings quickly and with maximum transparency.
There is a competition for who is faster: the attacker who realized a weakness that was published, or the defender who closed it. "The
cyber system predicts that next year there will be a further increase in the scope and severity of the attacks." Hackers can do great damage.
Our job is to identify the threat and pass it on as quickly as possible to companies and citizens, but companies and boards also have responsibilities.
We are not protecting the entire economy, but only the systems that are critical to the functioning of the state.
I would like them to listen a little more to our warnings.
The state can be an iron dome, but it cannot replace the guard in the building. "
Franco opposes the imposition of regulation on the entire economy." Israel is not a totalitarian state, and we are not the big brother.
Our main role is to protect the critical infrastructure in Israel from the threat of states.
This is our reference scenario, and we are working against it 24/7. "
And is Israel protected from it?
" Iran is currently unable to harm the vital or critical infrastructure of the State of Israel through cyber.
The public can sleep soundly. "