Plans and documents relating to Israel’s Iron Dome system were stolen off the servers of several companies involved in the system’s development, using a well known but sneaky Internet trick, according to a report released Tuesday.
The data fell victim to what a appeared to be a phishing scheme run by Chinese hackers who planted malware on servers in the three companies, giving them a “back door” into the system that enabled them to carry out searches for the specific documents they apparently were looking for.
Among the targets were Rafael (Israel Military Industries), the Elisra Group, and Israel Aerospace Industries. It was not known what, if any, damage was caused by the leak.
According to the report, the phishing operation took place in 2011 and 2012, when the hackers purloined hundreds of gigabytes of documents, presentations, graphics, and charts relating to Iron Dome, the Arrow III program, UAVs, and other technical documents relating to defense systems.
The story was unveiled by cyber-security expert Brian Krebs, based on a report by US company Cyber Engineering Services Inc. (CyberESI). Krebs sought responses from the three companies, receiving one only from IAI, which called it “old news,” Krebs said, quoting an email from an IAI spokesperson, who said that “the information was reported to the appropriate authorities. IAI undertook corrective actions in order to prevent such incidents in the future.”
The phishing scheme, according to the CyberCSI report, was carried out by a group of Chinese hackers called “Comment Crew,” a state-sponsored group with close ties to the Chinese army. According to CyberCSI CEO Joseph Drissel, the group has been accused of stealing data from American corporations and defense contractors.
Israeli companies and government organizations, even those with involved in top security work, have proved to be surprisingly vulnerable to phishing attacks, in which “hackers search for a ‘weak link,’ matching a message with a potential victim, using threats, rewards, fear or other psychological tactics to get the victim to click on a link or open a document that will install a virus or trojan, giving them access to data,” said Middle East cyber-security expert Dr. Tal Pavel.
In 2012, hackers used phishing tactics to get employees of the Israel Police to click on links in email messages that led to sites where network-invasion malware known as Xtreme RAT was surreptitiously installed on users’ computers. According to Roni Bachar of Israeli security firm Avnet, the malware was delivered in the guise of an email message with an attached archive, sent from email address firstname.lastname@example.org.
Gantz is the IDF Chief of Staff, and it’s unlikely he would be using a service like Gmail to communicate with Israeli officials. Nevertheless, numerous people apparently clicked on the file, releasing the virus into the police department’s computer system, said Bachar. “Closing off the department’s computer to the Internet is a complicated matter, and police would have done so only if they felt that there as an acute need to go off-line.”
Among the measures police have reportedly taken to prevent future attacks is to ban any outside media like USB drives and CDs from connecting with systems. As a result of the attack, police were forced to disconnect servers from the Internet for over a week as they tracked down and eliminated the malware.
That same malware was successfully used earlier this year to invade government sites — again using a message with suspicious contents, from a suspicious-looking address, in this case “email@example.com,” an unlikely address for an official document from the Israel Security Service to use. That attack, said to have been conducted by Palestinian hackers, compromised the computer network belonging to the Civil Administration Judea and Samaria, the government agency that deals with all administrative matters in the part of the West Bank under Palestinian self-rule, as well as several news websites in Ramallah and Gaza.
CyberCSI hasn’t yet divulged details of how the hackers got their malware onto the companies’ servers, but avoiding phishing schemes isn’t that difficult, said Aviv Raff, CEO of Israeli security company Seculert. “If it looks like a rat and smells like a rat, it just might be a rat,” said Raff, warning that if the message looks “funny,” or the sender’s address isn’t up to snuff, just don’t click on a message’s attachments or links. “It sounds simplistic, but that really is the solution,” he added. “When in doubt, throw it out.”
In an official statement to the Times of Israel, IAI said “he information reported regarding the leakage of sensitive information is incorrect. The report cited refers to an attempt to penetrate the Company’s civilian non-classified Internet network which allegedly occurred several years ago. IAI’s cyber security systems operate in accordance with the most rigorous requirements and also in this case they were proven to be effective.”