The constant outsider who the world’s largest companies now pay millions to hack their systems
Reuven Aronashvili, the son of Georgian immigrants to Israel, founded offensive cyber company CYE with the knowledge he acquired at secret Israeli military unit
When Reuven Aronashvili, founder and CEO of cybersecurity company CYESEC Ltd. (CYE), entered his first class in Linear Algebra at Tel Aviv University (TAU) the lecturer started yelling at him because he thought he was the maintenance guy, there to fix the air conditioning that had been out for weeks.
"Maybe I looked a little different to him,” Aronashvili, the son of two Georgian immigrants to Israel, said in a recent interview with Calcalist. “I had a lot of experiences in my life when people treated me unfairly,” he said, “but I don’t think the right way to go is to whine about it, you can also joke about it. Every time I saw that professor afterward I asked him how the air conditioning was and I ended up getting a perfect score in every one of his classes.”
When he was 16, Aronashvili started teaching teens who did not graduate from high school and were looking to take their final exams. According to him, the students were skeptical when they saw their teacher was a kid who was younger than they were and came from a tough neighborhood in northern Israeli port town Acre. “I find it amusing,” he said, “you get to where people least expect to find your type and you show them.” In the end, his class finished with an average of 96 points out of 100, he said.
Over the years, 36-year-old Aronashvili has felt, again and again, that, at first glance, he does not fit the stereotype of a math student, a teacher, a military officer at an elite technological unit, or an entrepreneur whose startup counts multinational corporations among its clients. And yet, these are the items that make up his resume.
Both his parents are hard-working—his father works at a furniture plant and his mother is a geriatric hospital nurse—and their dream, Aronashvili said, was always that their three kids will not have to work as hard as they did. “This hunger, to achieve, to never settle for what you have, is something that hasn’t left me since I was young,” he said.
Aronashvili was a top pupil and left Acre at 18 to start his bachelor’s degree at TAU as a soldier-student at the Atidim program for underprivileged teens. “The university opened my eyes,” he said, “up until then, my dream was to work for defense contractor Rafael Advanced Defense Systems Ltd., because that was the top job for anyone in Acre. Those who worked there were the ones living in villas and nailing a job there would mean you have made it.”
But then, he said, he learned that one of his teachers made an exit and another one had his own company. That is when he realized his aspirations were higher.
After finishing his BA, Aronashvili was recruited by secret military elite unit Matzov, an abbreviation for the center of encryption and information security in Hebrew.
The most famous Israeli elite military units are Unit 8200—the Israeli equivalent to the NSA—and intelligence technology unit, Unit 81. Veterans from both these units are quick to find jobs in the country’s booming cybersecurity and big data industries. Matzov, which is a part of the military’s Computer Service Directorate, gets a lot less fame and attention, even though it is at the forefront of encryption.
Two of the unit’s better-known veterans are Adam Singolda, co-founder and CEO of online advertising and content discovery company Taboola.com Ltd., and Mickey Boodaei, a veteran cybersecurity entrepreneur with a line of impressive exits under his belt, including Imperva Inc., acquired by Thoma Bravo LLC in 2018, and Trusteer Inc., acquired by IBM in 2013.
Matzov is dedicated to developing encryption and information systems security technologies. The unit is Israel’s highest authority on encryption and cybersecurity and offers its services to all of the country’s security organizations.
In 2005, Aronashvili was assigned to set up Matzov’s red team tasked with attacking the Israeli military’s computer systems to detect and address vulnerabilities.
"It was like a startup and we had to sell ourselves,” Aronashvili said, “because commanders were not thrilled by the idea of being hacked.” The red team started out by attacking targets within the Computer Service Directorate, before getting the attention of then-Chief of Staff Dan Halutz. Halutz allowed the team to move on to attacking new targets, including the intelligence corps, the navy, and the Israeli Internal Security Service (Shin Bet).
"We were attacking sensitive military systems to detect holes in their security, logistical arrays, and weapon systems,” Aronashvili said. “As an organization and as a state, we learned a great deal about the gap between our offensive and defensive capabilities,” he explained.
During his seven years of military service, Aronashvili also completed a master of science degree in Computer Science as part of a military excellency program.
When he was discharged in 2012, he turned to the business sector. Two years later, Aronashvili founded CYE using the knowledge he accumulated in the military. It is one of few companies that have a license to attack and does so with the explicit consent of companies. Its Israeli competitors include XM Cyber Ltd., founded by former Mossad head Tamir Pardo, and Candiru, which, other than reportedly raising $9 million last month, has remained under the radar for years.
According to Aronashvili, CYE “goes all the way” with its attacks, acting as a real hacker would. The attack is real and not simulated, which means the company can provide a more accurate picture, he explained.
“We won’t show you what a complete shutdown of a manufacturing line looks like because that could cost as much as $150 million,” Aronashvili said, “but we will show you how it can be done. We will get as far as the interface that shuts down the system and we’ll stop there. We show clients that we can steal intellectual property or otherwise secret information and that we can shut down their commercial activity or hack bank accounts.”
When the stakes are extremely high, for example, when it comes to airports, trains, and infrastructure, where an attack could cost lives, CYE goes for a more traditional approach, according to Aronashvili. “Our guiding principle is to find out who can attack the organization, with what tools, and what they can gain through the attack,” he said. “Then, we can rate the levels of risk so that the company would know what it should address most urgently.”
While it may sound risky to willingly let someone hack your systems, Aronashvili said clients prefer to face the reality through CYE as it poses a minimal threat, while a real attack, utilizing the same methods, could be a catastrophe.
“I am not worried about my people, even if I put them in front of a bank and show them how to steal $100 million without anyone noticing,” he said. “But training someone with a criminal record is a risk I am just not willing to take,” he added, referring to the Hollywood cliche of the hacker that does such a good job hacking the FBI that they hire them.
According to Aronashvili, CYE’s clients include financial institutions, as well as infrastructure companies, manufacturers, and tech companies, most of them non-Israeli. Due to stringent regulation, the financial sector is relatively protected, he said, while insurance and MedTech companies are very vulnerable. “I don’t think there is a single sector that can sleep soundly at night these days,” he added.
Based in Herzliya in central Israel with additional sales offices in Germany, the U.K., Switzerland, and the U.S., CYE employs 70 people.
In 2018, CYE raised an undisclosed sum estimated at tens of millions of dollars from 83North Ltd. and an unnamed Singaporean investor. “We have been turning a profit since day one and our investors know that we needed the connections, not the money,” Aronashvili said.
As someone that hacks corporate enterprises for a living, what kind of insights do you have on their defenses?
"You see unbelievable defense tools, the cream of the crop, but then you find out that 80% of the users in the organization have passwords that can be cracked in under 30 seconds.
“We don’t take a single user and try every possible password on it, instead we take all users and try two or three possible passwords on each so we don’t get locked out or alert the system of suspicious activity. Within 10 minutes of an attack, we can crack over 50% of an organization’s passwords using this method.”
Now, with the massive shift towards work from home due to the coronavirus (Covid-19) pandemic, it must feel like a paradise for cyber attackers.
“People are working from home with a modem password that is usually their cell number. Attacking a private home is way easier. Some have added an additional layer of security, but if you want to target an organization you get a list of employees and just try them one by one at their homes.
“Not many organizations can protect themselves from even the silliest viral attacks so the question is not whether we can avoid ever being attacked but when will we be attacked and what measures can we take to make sure the damage is minimal.”
“That’s true. There are a lot of abilities in Israel that can cause very dramatic damages in the wrong hands.
“Take Stuxnet (a malicious computer worm allegedly developed by Israel and the U.S. that attacked the Iranian nuclear system in 2011, D.B.N. and M.O.), it was one of the most severe cyberattacks to ever take place and similar methods are being used for attacks around the world to this day.
“One of the most severe cyberattacks, WannaCry (a ransomware attack on thousands of computers that took place in 2017, D.B.N. and M.O.) was based on a tool leaked from the U.S. National Security Agency (NSA). Just consider the financial impact of this, not to mention that some attacks can physically kill people.”
Do you also expose attackers or just vulnerabilities?
“Quite a few times when we were attacking a system we found somebody had beat us to it. Getting rid of them is exactly what we do.
“We once worked with one of the largest electricity companies in the world, with hundreds of thousands of employees and we got to a point where we had complete control over the system, and we found a lot of porn sites on the servers. Whoever hacked the company didn’t harm the organization with a malicious attack, they just used its servers as a free and stable hosting service.
"There is a direct correlation between how big the organization is and how easy it is to attack it. Big organizations have a much harder time defending themselves.”
According to Aronashvili, the “secret recipe” for preventing an attack is making sure it would be too expensive to be worth the trouble, compared to what the attacker may hope to gain.
Aronashvili further emphasized that attacks by countries are far more difficult to protect against.
So, what if North Korea attacks Moderna Inc. or Oxford University, both of whom are working on a Covid-19 vaccine?
“On such a sensitive matter, countries can choose one of two paths: they can invest a fortune in research or wait for somebody else to find a vaccine and then invest in trying to steal it. The approach traditionally attributed to China—though, not all Chinese companies, of course—is that information can be obtained using every means. The motivation here is clear. I don’t see U.S. President Donald Trump allowing Moderna to help the Chinese before the U.S. is entirely covered. The geopolitical situation is very relevant.
What helped you break the statistics of people growing up where you did?
“I had a drive. I set goals for myself regarding where I wanted to get to. At first, they were little goals: get into university, finish my degree. Some people from the neighborhood started to work right away because they had to make money. I also needed money but I worked scoring tests because I realized that a smart job can also educate you and help you develop.
"It’s a type of hunger that my kids don’t experience today. When my daughter, who is five and a half, wants to know when she will be getting a phone and a tablet, you just know it’s a different kind of childhood. I’m not loving it, I am kind of sad to see my kids grow up this way. Nothing is missing for them and their lives are comfortable. The main concern is where this leaves them if they lack my drive. You need to have a hunger for something in order to make it. I’m not talking about physical hunger for food, I mean hunger for achievement.”