Israel should expect a rise in cyberattacks - expert

CYBER AFFAIRS: Industry insider Ram Levi talks about defense against hacks and what really happened at Shirbit.

 A MAN LOOKS at a video on an Israeli website that was hacked last year by an Iran-based hackers group that calls itself ‘Hacking Saviours.’ (photo credit: YONATAN SINDEL/FLASH90)
A MAN LOOKS at a video on an Israeli website that was hacked last year by an Iran-based hackers group that calls itself ‘Hacking Saviours.’
(photo credit: YONATAN SINDEL/FLASH90)

Cyberattacks on Israel will expand exponentially once the Ukraine war fades from the headlines, former top government cyber official and current Konfidas CEO Ram Levi said in a recent interview.

“They will [escalate] continuing to try to hack. There was a [relative] slowdown in hacking because Russia has been focused on the war. But after, they will attack even more aggressively again.”

He referenced specific Russian plans to jump the level of its attacks on the West and that this escalation “could hurt us [Israel] a lot,” said Levi.

During some recent Iranian cyberattacks, his cyber firm was able to note exact times of Iranian hacking practically in real time. Explaining how his firm does it, Levi said that “almost all cyber actions leave fingerprints. Sometimes an increase in activity can reveal problematic activity, sometimes not. You need to [generally know] who is attacking in order to find the fingerprint.”

From various cyber signs, malware forensics and tracking server movements, “We knew which specific organization was involved, so we checked the data. Then, when there is an increase in activity, you can connect things and produce graphs” to summarize the activity.

 KONFIDAS CEO Ram Levi: There is a gap between what is enough money to defend properly versus what small businesses are willing to spend. (credit: DROR SITHAKOL​) KONFIDAS CEO Ram Levi: There is a gap between what is enough money to defend properly versus what small businesses are willing to spend. (credit: DROR SITHAKOL​)

Likewise, with Russia, he said Russia started its war with Ukraine using cyber, and that cyber analysts could already see problems on the night of February 24.

“Then 40% of Ukrainian public transportation was brought down. You can see how they act, and then you can bring evidence about what the impact is and do a serious analysis,” he said.

Levi was questioned about whether Israel has improved sufficiently since the mega hacks and attempted hacks against its water sector, medical sector, aircraft sector, Shirbit, Cyberserve-Atraf and others by Black Shadow, Moses Staff and other Iranian proxies over the last two years.

“We didn’t improve enough. Most attacks are characterized by attacks on small businesses, which are harder to defend. Cyberdefense costs lots of money. Defenses didn’t get much better. There is a gap between what is enough money to defend properly versus what small businesses are willing to spend. Even now, it is not getting better,” he warned.

“Small businesses still think they won’t be attacked,” he said. “We do crisis management at Konfidas. Each individual CEO asks: ‘Why did they attack me?’ We need to explain that they were attacked because of money, or because they were exceptionally vulnerable” and easy to pick off without much of an investment.

Next, in this light and in light of two incidents in which hacked companies knowingly delayed fixing vulnerabilities they were warned to patch, he was asked whether the Israel National Cyber Directorate (INCD) should be given greater powers to intervene and compel more private-sector firms to promptly carry out such cyber patches.

Levi is against this. “It won’t fix the problem, because the problem is not that little businesses don’t want help. They know they have a problem. If someone explains the problem, I have not encountered a business that ignored a problem once it was shown to them. The problem is not public relations, but enforcement.”

His idea is having industry-specific regulators working alongside each business’s individually mandated cyber adviser, with the INCD involved, but more on the periphery.

“To obligate them to take action, banks have industry-specific applicable regulations and regulators; this is also true with insurance companies,” he said.

“Either INCD or another tailored regulatory agency. Transportation can be regulated by a transportation regulatory agency. A water agency can oversee water, but with guidance from INCD.”

“We are in favor of the tax model. We tax all of the country’s businesses, but it runs through an accountant. Let’s have the state do cyber. Everyone should be required to have their own cyberdefense person. They define what you should need to do,” he said.

But then “you will also have a partner addressing you from the regulatory side who can translate the specific needs of the specific entity. The INCD cannot do that by itself. It is too small. There are 250,000 businesses in Israel.”

Recently, the INCD changed hands, with former IDF brigadier-general Gabi Portnoy replacing Yigal Unna after a term of over four years.

“I have known Gabi for many years from the IDF. Gabi understands the problem. He understands that the INCD needs to change. It needs to be much more available to assist and help cyber companies” with a variety of business-specific issues different firms encounter, as opposed to imposing single standards from on high and being focused more on infrastructure than on small businesses.

“I think it will be a positive change, and he is an asset for his role,” he said.

Levi criticized the INCD in some cases, such as Iran’s attempted hack of Israel’s water sector or Chinese hackers attack of Hillel Yaffe Medical Center, “only handling what it needed. It comes in to take information about such cyberattacks, but then keeps it for itself and does not send the data to others.

“We still don’t know what happened at Hillel Yaffe, Shirbit, Atraf, with the water sector attacks. Other companies need to know. Clalit, Meuhedet, Maccabi were not told by the state what happened there. So no one can go to Assuta [Medical Center] or Yoseftal [Medical Center] to implement the lessons. It’s absurd.”

Despite his idea of transparency, Levi was confronted with the fact that most private companies may want privacy.

Acknowledging this, he stated, “But for a public company like Hillel Yaffe, there are much broader considerations. With Shirbit, we [his company] handled analyzing the hack and told the CEO exactly what happened.”

He suggested that other than juggling some technical issues, “we know with Shirbit that there is no reason the details of the hack cannot be published. In fact, they were [quietly] published in a class action lawsuit.”

According to documents in that case that have not been reported on to date, but which The Jerusalem Post now reveals, rather than thousands or tens of thousands of Shirbit documents being leaked in late 2020, 707 documents were leaked.

Of those 707 documents, only 41 documents showing clients’ identity numbers were leaked, and only seven documents showing clients’ credit card numbers were leaked.

Shirbit said it offered logistical and financial compensation to these clients if they needed to replace their cards.

As Shirbit’s outsider cyber analyst, Levi explained in court documents that even though the US agency NIST has certain cyber standards, some of which Shirbit might not have met, these standards are not used as obligatory or even always relevant to all companies in all fields.

In addition, Levi said the critics of Shirbit were incorrect with their claims regarding how it might have been remotely hacked.

Rather, the technique of wiper detboi (a reference to some dark music styles and symbols) was used to hack Shirbit’s online services.

Once the online services were hacked, the hackers then obtained the legitimate passwords of Shirbit employees and used these to access other aspects of the company’s digital services.

As a general matter, Levi did not believe that Shirbit had acted any more negligently than other comparable companies in the industry regarding cyberdefense.

Rather, Levi found that when faced with unpredictable potential attacks from nation-states like Iran, Shirbit’s calculated risk and cost assessment regarding where it would invest more or less in its cyberdefense was reasonable.

But none of this, even almost two years later, has been produced publicly (until now) in a way that could have helped others better prepare their cyberdefenses.

What could be a reporting paradigm for Israel?

Under a new US policy, companies “do need to report being hacked within 72 hours,” whereas there is no parallel Israeli requirement applying to all fields, such that “people in Israel don’t and will not know the data on such hacks.”

If there was a law requiring every hack in Israel to be reported to INCD, “we could do an analysis about which fields are defended and which are not. Now we don’t know. INCD knows about critical infrastructure, but not beyond that. But support fields getting hacked can lead to critical infrastructure being taken down. We need to look at defense holistically.”

With most of the hacking news lately attributed to Russia or Iran, he was asked whether Chinese cyber spying still poses a threat.

“Yes, we need to worry all of the time. And North Korea is also trying to spy and is often succeeding,” he said.

With Israel hit by multiple new cyberattacks this past week, the idea that a major new escalation could be right around the corner will ensure that Levi and others have many late cyber event nights ahead of them.