Indications suggest that Iranians are behind a string of cyberattacks on Israeli companies

The nature of the hacks and the fact that no ransom requests were made strengthens the assessment that Iranian-linked hackers are involved

Raphael Kahan and Hagar Ravet 14:3514.12.20

Is Iran behind a series of cyberattacks against Israeli companies in recent days? Following the attack on Amital Data last week and a string of hacks of shipment and logistics companies that were exposed in Calcalist, on Sunday hackers claimed to have breached the servers of Israeli chip manufacturing company Habana Labs, which was acquired by Intel last year.


The nature of the recent attacks strengthens the assessment that the hackers were employed by, or at the very least, linked to Iranian cyber operations, with some theories suggesting they were trying to sabotage the delivery of Covid-19 vaccines that Israel had purchased. The attack characteristics that suggest this include the fact that so far there has been no demand for ransom and that in both cases, the malware used was of the Pay2key variety, which was used in a separate series of attacks on dozens of Israeli companies and organizations, as exposed by Check Point analysts. However, it is difficult to pin down the identity of the attackers based on the malware they use since it is common for hacking groups to trade tools or upgrade the malware used by others in order to blur their tracks.


Illustrative image of a hacker. Photo: Shutterstock Illustrative image of a hacker. Photo: Shutterstock

Pay2key has been associated with Iranian hackers for several months. It is a relatively new type of malware, first identified last June. While it has been linked to Iranian hackers, it is not clear whether they developed it themselves or purchased it from other developers. One of the characteristics of its use so far is that its activators tend to demand ransoms that are lower than the market standard. “


There are two types of attacks that are common to the world of cryptography,” Gal Ben David, one of the founders of Israeli cyberintelligence company IntSights told Calcalist. “There is ransomware that encrypts the attacked company’s data and demands the transfer of money to release the seized information and then there are encryption tools that simply destroy the breached data, making it irrecoverable. The second method is used for sabotage purposes and therefore believed to be used by hostile states or organizations attacking a specific company. State actors sometimes also demand a ransom because it makes the attack appear more innocent, if what you are allegedly after is money and not simply to do harm,” he added.


Ben David tends to believe that the latest string of hack does not constitute an “official” Iranian attack against Israel, primarily because of the software that was used. “Generating headlines is the last thing espionage organizations want when selecting which attack to carry out. In this case, the hackers used ransomware which made it certain that the attack would be revealed. If a state-level actor would have wanted to sabotage Israel’s vaccine supply chain, it would have made it look like a malfunction.”


IntSights co-founder Gal Ben David. Photo: Orel Cohen IntSights co-founder Gal Ben David. Photo: Orel Cohen

They could, for example, sabotage the refrigerator systems, which are connected to sensor software, causing the program to present the correct temperature needed for storage, while the actual units were inactive, suggested Ben David. He added that “no one would take responsibility for harming vaccines, even an enemy state. I find it hard to believe that if there was an attempt to harm the vaccine supply, anybody would take credit for it. It would be hard to prove that Iran is behind it too since state agencies are good at hiding information. One of the reasons Russian hackers were discovered in the past was because of their poor use of English. Spy organizations, including the Iranians who are very good at cyber, don’t behave in such a way.”  


The fact that it doesn’t appear to be a state-coordinated attack doesn’t rule out the involvement of Iranian hackers. On the contrary: “It is most likely a case of anti-zionist activism, obviously targeting Israelis. Combine that with the Check Point research that links the malware to the Iranians and you don’t have to be a genius to figure out where the attackers come from,” Ben David said.


At the time of writing, it is not yet clear what it is that the people behind the attacks want, but various assessments, including by cyber companies Security Joe and Profero, ruled that it is not an attempt to blackmail the companies. “The attack’s goal is to gather intelligence and not to collect a monetary ransom,” they told Calcalist. “It appears that the hackers gathered intelligence about Amital and the program it provides its clients and only later chose it as a target. We believe that the attackers are associated in some way with a state or organization that is hostile to Israel and that the data that was leaked could in high likelihood contain sensitive security information.”


Amital develops logistics software solutions for freight forwarders, shipping agents, airline cargo sales agents, and customs brokers. It is a veteran in the Israeli market and its software is in wide use. The hacker’s successful breach into Amital’s computers resulted in them gaining access to its clients’ systems too. It is still unclear how the breach was made possible, but if those systems contained usernames and passwords of clients, access to the clients’ networks wouldn’t have required sophisticated actions. All the hackers needed was the access details and from there they could enter all the linked computers. The reason sensitive information could have leaked or indeed have been the impetus for the attack is that some of the companies breached were involved in the import and export of defense equipment.


Amital said that it has received no ransom demand yet. Other sources in the cyber industry say the companies’ servers had not been encrypted, indicating that the hackers stole the data and did not choose to use it for extortion purposes.