Iran, Israel cyberattack exchange may continue

A western official warned that while both attacks were relatively harmless, 'it never stops at that'

Iranian flag and cyber code [Illustrative] (photo credit: PIXABAY)
Iranian flag and cyber code [Illustrative]
(photo credit: PIXABAY)
The escalated tensions caused by an Iranian cyberattack on Israeli water systems in April and an Israeli cyber counterstrike in May could continue, a Western intelligence official has told the Financial Times.
A Western official warned the newspaper that while both attacks were relatively harmless, “it never stops at that.”
According to the story in the Times, Iranian hackers intended to poison Israel’s water by increasing the amount of chlorine during the thwarted April cyber attack.
The official’s interview with the Times comes after The Jerusalem Post last week reported a range of new details about the incident.
“We will remember this last month, May 2020, as a changing point in the history of modern cyberwarfare,” said National Cyber Directorate Chief Yigal Unna in a recorded speech for a Cybertech conference event, first obtained first the Post. “If it had been successful... we would now be facing, in the middle of the corona crisis, a very big damage to the civilian population: a lack of water.”
Unna noted that when various chemicals, including chlorine, are mixed with water in the wrong proportions – which could happen due to a hack – it “can be harmful and disastrous.”
While avoiding blaming Iran for the attack directly, Unna did mention the accusations that Tehran was behind the attack and made it clear that the hack was conducted by an enemy nation-state and not just cyber criminals.
The attack could have triggered fail-safes that would have left tens of thousands of civilians and farms without water in the middle of a heatwave, as the pumping station shuts down when the excess chlorine is detected. A Western official told the Times that, in a worst-case scenario, hundreds of people would have been at risk of becoming ill.
“It was more sophisticated than they [Israel] initially thought,” said the official to the Times. “It was close to successful, and it’s not fully clear why it didn’t succeed.”
An Israeli official told the Times that the attack opened the door to “an unpredictable risk scenario,” creating a precedent for cyberattacks on civilian infrastructure which had been previously avoided by both Iran and Israel.
Iran has denied allegations that they’re behind the attack.
“Iran cannot politically afford to try to poison Israeli civilians. And even if Iran did so, where is the Israelis’ appropriate response?” a regime insider told the Times. “Our suspicion is that Israelis want more money from the US and made up the whole thing. But the Americans are no idiots.”
THE TIMES report, as a number of earlier reports, claimed that Israel retaliated for the cyberattack by attacking the Shahid Rajaee Port in Iran.
“It was small, very small – like a knock on the door,” said one Israeli official to the paper. “Think of it [as] a gentle reminder: ‘We know where you live.’”
Former Defense Minister Naftali Bennett insisted on a visible response to the alleged Iranian cyberattack. The Shahid Rajaee Port was “roughly in the middle of the page of options” presented to Bennett after he demanded a list of potential targets for a response, an Israeli official told the Times. “Any disruption would be economic, nobody’s safety would be placed at risk, they would be reminded we are here, we are watching,” he said.
On May 11, Mohammad Rastad, Managing Director of the Ports and Maritime Organization (PMO), announced that a cyberattack managed to damage a number of private systems at the Shahid Rajaee Port, confirming that the attack was carried out by a foreign entity, according to the Iranian Fars News Agency.
While Rastad stressed that operations had not been disrupted by the attack, US and foreign government officials told The Washington Post that traffic in the area came to a halt and was plagued with issues for a number of days.
In May, Israel’s security cabinet met to discuss the alleged Iranian cyberattack on Israeli water and sewage facilities that took place on April 24.
The attack caused a pump at a municipal water system in the Sharon region of central Israel to stop working. Operation resumed shortly thereafter, but it was recorded as an exceptional event, according to The New York Times.
A security company that investigated the incident found that malware caused the shutdown and the incident was reported to the Israel National Cyber Directorate and other Israeli intelligence agencies. Israeli officials found that the malware had come from one of the offensive cyberunits in the Iranian Revolutionary Guards Corps (IRGC). The attack and the quality of the attack were described as “miserable” by intelligence officials, according to the NYT.
WHILE ONE intelligence official said that Israel hopes the attack on the port will end the current cyber exchange, an intelligence assessment stated that the IRGC could respond with another attack on the Jewish state.
Israeli security officials instructed sensitive facilities and national infrastructure to increase awareness and alertness amid fears of a cyberattack by Iran or a pro-Iranian group after reports about Israel’s involvement in the cyberattack on the Iranian port were published, according to Walla news.
Two weeks ago, a cyberattack targeted hundreds of Israeli websites that were hosted on one hosting service, replacing the websites with an anti-Israel video and message. A second attack on the same day targeted factories with ransomware attacks in an attempt to shut down production lines. Israeli research centers working on a vaccine for the novel coronavirus were also targeted by a cyberattack that day, according to Channel 12.
As of last week, there was no indication that Iran stood behind the cyberattack on Israeli websites. Cybersecurity firm Checkpoint Software Technologies told The Jerusalem Post that the attack was conducted by nine attackers who have been operating since April. Their profiles seem to connect them to Turkey, North Africa and the Gaza Strip. “This doesn’t mean there aren’t more, but we don’t know [enough] to confirm an Iranian operation at this stage,” he said.
Checkpoint explained that the cyberattacks last week did not seem especially unusual and similar ones happen almost every day. The attacks were also expected as they occurred around Al-Quds Day (Iran’s Jerusalem Day), when hackers from the Muslim world often organize cyberattacks on Israel.
Little information was available on the other two cyberattacks reported on the same day, and it was unclear if they were carried out by the same attackers.