Hackers scrawl ‘Jerusalem is capital of Palestine’ across many Israeli web pages
Attackers fail to plant ransomware, which would have hit economy hard, but by temporarily blocking sites such as Ynet, McDonalds, expose cyber protection failure
Sue Surkes is The Times of Israel's environment reporter
An apparent attempt to plant ransomware and freeze more than one million Israeli web pages over the weekend failed, but not before the hackers had managed to deface multiple pages with the words “Jerusalem is the capital of Palestine,” and in so doing underline the failure of some of Israel’s major companies to ensure that their computer systems are sufficiently protected.
The hackers — whose identity and location are not known — found a breach connected to the Hebrew-language website Nagich, which means “accessible” in Hebrew, to block access to companies that are its customers, including several major news sites, for at least an hour.
Under the equal rights for people with disabilities legislation and accessibility regulations, all bodies providing services to the public must ensure that their websites are accessible.
Nagich, one of the businesses that specializes in that field, provides plugins to modify web pages for the benefit of people who have limited mobility or poor sight, for example.
The company says on its website that its technology has made more than one million web pages accessible for companies as diverse as telecommunications firms Partner, 012 mobile and Golan Telecom; Bank Hapoalim; the cosmetic giants Clinique and Estee Lauder; McDonalds; and Coca-Cola.
On Saturday, activist hacker Yuval Adam was at home when his partner alerted him to a “Jerusalem is the capital of Palestine” slogan that came up on her screen when she tried entering the Ynet news site, preventing her from getting into the site at all.
לולז פרצו לטמקא pic.twitter.com/siuM5ydUy3
— Yuval يوڤال Adam (@yuvadm) March 2, 2019
Reports then started to appear on Twitter that the same phrase was appearing on the sites of other news organizations such as Calcalist and Makor Rishon, as well as on the site of McDonalds.
דווח על אותו עניין בהזמנות ממקדונלדס pic.twitter.com/coopErigEY
— Guy Varon (@guy_varon) March 2, 2019
Adam alerted the cyber department in the Prime Minister’s Office, which is open for reports about dubious web activity 24/7.
The technical team at Nagich is understood to have closed the breach soon afterwards, some 20 minutes after the company was alerted.
It is still investigating what happened.
It is not clear how many pages actually fell victim to the hackers, other than those posted on Twitter.
A spokeswoman for Nagich customer Bank Hapoalim, for example, told The Times of Israel that the bank had not fallen victim to the incident and had online technology to protect it from events of this kind.
But Ran Bar-Zik, senior software developer at Verizon Media, who worked with Adam on Saturday to try to understand the nature of the hack, nevertheless insisted on his estimate that the numbers of pages hacked was around the million carrying the Nagich technology.
According to Adam, the hackers’ real goal appears to have been to get surfers to download a ransomware file.
That would have allowed the rogue programmers to encrypt and block access to files across unprotected pages until ransoms were paid.
“If the hackers had succeeded with their ransomware, they could, in theory, have brought parts of the Israeli economy to a halt,” Adam said.
The hackers got into the company’s DNS [Domain Name System] records and changed the number denoting the domain name of Nagich in order to redirect traffic from Nagich to their own malicious server.
And because every company using Nagich was using the same Javascript access code, every page from every customer website that was not itself sufficiently protected was exposed.
“This was waiting to happen,” Adam said.
Writing Sunday on his Hebrew-language blog, “Internet Israel,” Bar-Zik blamed the hackers’ success on “incredible negligence, about which warnings have been sounded in the recent past.”
First, Nagich had failed to arrange for the necessary authentication that would have protected its DNS record properly, Bar-Zik said.
Second, those companies using Nagich that were hit had omitted to install special signatures for online files (known as SHA-256), which would have protected them against the kind of tampered-with Javascript employed by the hackers.
“Even this simple action is apparently beyond the capabilities of Israeli internet sites,” Bar-Zik wrote.
“The State of Israel, the cyber nation, got off very easy,” he charged.
“The hackers could have caused billions of [shekels of] damage instead of vandalism. The defacing, thanks to our alertness and that of the cyber directorate (and probably to other researchers who reported it), also lasted just a limited time.”
No complaints were made to the police about the hacking, a spokesman said.