As businesses resumed activities after the weekend in Israel, the nation was still assessing how many organizations and companies had been compromised by a massive electronic attack that hit over 150 countries around the world. But quick and joint action by cyber experts in Israel helped keep the attack at bay, a cybersecurity expert said on Sunday.
“We are still assessing the damage,” Sharon Nimirovski, the founder and CEO of Tel Aviv based cyber firm White Hat said in a phone interview. “We are working on this event around the clock and Israeli firms have been hit but we still believe it is minor. We are still investigating. The systems have been infected, but we don’t see damage. The attack reached the computers but was blocked.”
“We have no idea what is going to happen today – it is still only the early hours of the day. We are already seeing a second version of the attack that was released yesterday because the first was blocked,” he said.
The cyber extortion attack, which locked up computers and held users’ files for ransom, was believed to be the biggest of its kind ever recorded, disrupting services from the US to Russia, the UK, Spain and India. It appeared to exploit a vulnerability purportedly identified for use by the US National Security Agency and later leaked to the internet.
The unprecedented global ransomware cyberattack has hit more than 200,000 victims in more than 150 countries, Europol executive director Rob Wainwright said Sunday.
Britain’s National Cyber Security Center said Saturday teams were working “round the clock” to restore hospital computer systems after the attack forced British hospitals to cancel and delay treatment for patients. In Russia, where a wide array of systems came under attack, officials said services had been restored or the virus contained.
Two security firms — Kaspersky Lab and Avast — said they had identified the malicious software behind the attack with Russia the hardest hit country.
“We are at the height of a world cyberattack, in which close to 100 nations have been hit. As of now, there has been no damage to Israel’s critical infrastructures,” Prime Minister Benjamin Netanyahu said at a weekly cabinet meeting in Jerusalem on Sunday. “The other damage is minor, as of now, but everything can change.”
Israel set up its cyberdefense systems, including the National Cyber Authority, “in the understanding that there is a new danger that is still ahead of us,” he said. Netanyahu called on all Israeli citizens to obey the directives of the cyber authority. “There will be more developments and we will need to invest more resources” to ensure that Israel’s civilian and military institutions are protected against such attacks, he said.
On Saturday, the nation’s top cybersecurity official said there was no evidence so far that Israel fell victim to the global cyberattack.
Baruch Carmeli, the head of the National Cyber Authority, said in a statement that there was “no indication” that Israeli bodies had been compromised in the massive electronic assault.
Carmeli noted, however, that many of the country’s computer networks were currently inactive due to the Sabbath, and thus a definite assessment could only be made Sunday. “We are preparing,” he noted.
He added that the authority was in contact with cyber officials in Israel and around the world in order to minimize any potential damage.
Nimirovski – whose firm, White Hat, employs teams of hackers to scour the dark web in search of criminal activities aimed at its clients, which include hospitals, financial institutions in Israel and abroad and government institutions in Israel — said that on Friday afternoon its employees spotted an attack on 16 hospitals in the UK. “It was a widespread attack,” said Nimirovsky. The desk entered a high alert mode — which they call “DEFCON 2” — the second highest alert (the highest is when Israel is under attack.) And started to investigate the type of the attack, its spread, location and damage.
“We sent our customers the first vaccine against the attack within an hour,” he said. The “vaccine” included IP addresses, URLs and file names which its customers were told to block. Workers at firms in Israel went into work on Friday afternoon — when companies are generally closed for the weekend — or connected remotely to install the “vaccine,” Nimirovsky said.
As the attack spread even further globally, Israel’s National Cyber Bureau started communicating with the local cyber community and convened members of the Israeli cyber forum, which gathers 250 cybersecurity experts from the public and private cyber institutions. “It was a huge conversation which began Friday evening, with everyone pitching in and talking and giving advice and analyzing the event,” Nimirovsky said.
“We all joined forces and helped to block the attack,” Nimirovski said. “It was like a war, everyone put on their uniform and helped. The cyber bureau began coordinating everything.”
The National Cyber Bureau sent out documents to all major companies in Israel and to critical infrastructure utilities and posted instructions on its website on how to prevent the attack.
It was a cooperation that worked, Nimirovski said. But luck also played a huge part in the event, he said, because most of the businesses were closed for the weekend. “What would have happened if all this had happened on a Monday morning or any other day? That is a big question.”
White Hat was monitoring the dark net to determine who is behind the attacks and was using “sophisticated means” to catch them, he said.
The scope of the cyberattack was unprecedented and future ones will only get bigger, said Erez Kreiner, a cybersecurity consultant and a former director of information security at the Shin Bet, Israel’s security agency. For 35 years he helped foil cyberattacks on Israel.
“The damage done by this attack is not worse than other attacks we have seen before, and is not more serious than others – the techniques and tools it uses are not different. What is different is its scope,” said Kreiner. “In future things will only get worse – the ability for such large-scale attacks exists. When they will happen again depends only on the intentions of the perpetrators.”
This attack apparently used a piece of malicious software called “WanaCrypt0r 2.0” or WannaCry, which exploits a weakness in Microsoft’s Windows. Microsoft released a patch — a software update that fixes the problem — for the vulnerability in March, but computers that have not installed the security update remain vulnerable.
What is interesting about the attack is that the criminals appeared to exploit a vulnerability purportedly identified for use by the US National Security Agency and later leaked to the Internet, said Ofer Israeli, the CEO of Illusive Networks, an Israeli cybersecurity startup.
“What we are seeing is the tip of the iceberg,” said Israeli. “The attacker was not very sophisticated and hence the first wave of the attack was stopped, even if apparently a second version has already been released. But cyber criminals can take the lethal capability that has been exposed and strategically and surgically now go after an organization in a targeted and much more damaging way.”
“I have no doubt that over the next few months, down the road, we are going to see a more sophisticated and more targeted and more devastating attack. As we speak this is already happening. We will see it only in later months,” he said.