Iranian hackers suspected of breaking into defense company Rafael's systems

The hackers, who belong to the Iranian regime-supported "Moses Staff", uploaded to the Darknet examples from Rafael's database and offered up the stolen data for 100 bitcoin

Raphael Kahan and Udi Etsion 19:1801.02.22
Hackers, apparently working on behalf of the Iranian regime, infiltrated the computer systems of the Israeli defense company Rafael, stole information and leaked examples from it to the Darknet, according to information seen by Calcalist on Tuesday.


According to the leaked files, this is allegedly information that includes employee access lists to internal computer systems, most likely from an Active Directory system, along with confidential business presentations, and possibly even air defense system plans sold to the UK. There is no certainty that these records also include passwords for accessing Rafael's systems, although this is certainly possible.

Iron Dome. Photo: Rafael Iron Dome. Photo: Rafael


The video uploaded by the hackers to the site, where they published the information, shows screenshots of a system that could be "Sky Cyber". This is a GBAD system - an acronym for Ground Based Air Defense system. “Sky Cyber'' was acquired by the British Army, with the system combining a control and battle management system made by Rafael, a radar by Sweden's Saab and a British interceptor missile.


This is an export version of the battle management system that is also used by the Iron Dome and was developed by mPrest, now a subsidiary of Rafael that owns 50% of it. The British paid $79 million for the Israeli system, although it should be noted that it is not exactly the same as the system currently installed in IDF Iron Dome batteries. However, if the hackers managed to break into the system software and the algorithms used in it, then they can gather critical information about how data is collected and the decision-making of the Israeli interception system, which could be used to deceive it.


Part of an ongoing campaign


The hackers who published the findings are apparently part of the “Moses Staff” cyber group affiliated with the Iranian regime. "The hack into Rafael that was in the headlines recently, is part of an ongoing campaign by the Iranian-backed attack group," said Dor Amit, co-founder and VP of technology at cyber technology company 10Root. "Some of the leaked information is dated 2017 and allegedly indicates a previous attack and despite this new documents were also leaked. It cannot be ruled out that this is perhaps a technical manipulation that allows re-dating or thickening of the new information with old information to intensify the incident."


From the materials published so far in the dark web there is no evidence to establish any hold of the attackers in the system or the exposure of users' passwords, but mainly a certain mapping of the information systems and services in the organization. The information stolen is up for sale for about 100 bitcoin or about NIS 12 million (approximately $3.78 million). The database also contains a number of references to data that may have been stolen from the systems of the cyber company F5. The hackers bragged about their exploits in a text published next to the database uploaded to their site and attached a file containing usernames and free passwords to porn sites.