In Israel, cyber experts joined forces to help foil massive attack

Private and government professionals set up virtual war room to stave off WannaCry cyberattack, which affected over 150 countries

Shoshanna Solomon is The Times of Israel's Startups and Business reporter

Illustrative hacker image via Shutterstock
Illustrative hacker image via Shutterstock

As businesses resumed activities after the weekend in Israel, the nation was still assessing how many organizations and companies had been compromised by a massive electronic attack that hit over 150 countries around the world. But quick and joint action by cyber experts in Israel helped keep the attack at bay, a cybersecurity expert said on Sunday.

“We are still assessing the damage,” Sharon Nimirovski, the founder and CEO of Tel Aviv based cyber firm White Hat said in a phone interview. “We are working on this event around the clock and Israeli firms have been hit but we still believe it is minor. We are still investigating. The systems have been infected, but we don’t see damage. The attack reached the computers but was blocked.”

“We have no idea what is going to happen today – it is still only the early hours of the day. We are already seeing a second version of the attack that was released yesterday because the first was blocked,” he said.

The cyber extortion attack, which locked up computers and held users’ files for ransom, was believed to be the biggest of its kind ever recorded, disrupting services from the US to Russia, the UK, Spain and India. It appeared to exploit a vulnerability purportedly identified for use by the US National Security Agency and later leaked to the internet.

The unprecedented global ransomware cyberattack has hit more than 200,000 victims in more than 150 countries, Europol executive director Rob Wainwright said Sunday.

Britain’s National Cyber Security Center said Saturday teams were working “round the clock” to restore hospital computer systems after the attack forced British hospitals to cancel and delay treatment for patients. In Russia, where a wide array of systems came under attack, officials said services had been restored or the virus contained.

Baruch Carmeli, Head of National Cyber Authority, attends a meeting of the Conference of Presidents of Major American Jewish Organizations at the Inbal Hotel in Jerusalem, on February 20, 2017. (Yonatan Sindel/Flash90)
Baruch Carmeli, Head of National Cyber Authority, attends a meeting of the Conference of Presidents of Major American Jewish Organizations at the Inbal Hotel in Jerusalem, on February 20, 2017. (Yonatan Sindel/Flash90)

Two security firms — Kaspersky Lab and Avast — said they had identified the malicious software behind the attack with Russia the hardest hit country.

“We are at the height of a world cyberattack, in which close to 100 nations have been hit. As of now, there has been no damage to Israel’s critical infrastructures,” Prime Minister Benjamin Netanyahu said at a weekly cabinet meeting in Jerusalem on Sunday. “The other damage is minor, as of now, but everything can change.”

Israel set up its cyberdefense systems, including the National Cyber Authority, “in the understanding that there is a new danger that is still ahead of us,” he said. Netanyahu called on all Israeli citizens to obey the directives of the cyber authority. “There will be more developments and we will need to invest more resources” to ensure that Israel’s civilian and military institutions are protected against such attacks, he said.

On Saturday, the nation’s top cybersecurity official said there was no evidence so far that Israel fell victim to the global cyberattack.

Baruch Carmeli, the head of the National Cyber Authority, said in a statement that there was “no indication” that Israeli bodies had been compromised in the massive electronic assault.

Carmeli noted, however, that many of the country’s computer networks were currently inactive due to the Sabbath, and thus a definite assessment could only be made Sunday. “We are preparing,” he noted.

He added that the authority was in contact with cyber officials in Israel and around the world in order to minimize any potential damage.

White Hat's founder and CEO Sharon Nimirovski ( Courtesy: Nadav Cohen)
White Hat’s founder and CEO Sharon Nimirovski (Courtesy: Nadav Cohen)

Nimirovski – whose firm, White Hat, employs teams of hackers to scour the dark web in search of criminal activities aimed at its clients, which include hospitals, financial institutions in Israel and abroad and government institutions in Israel — said that on Friday afternoon its employees spotted an attack on 16 hospitals in the UK. “It was a widespread attack,” said Nimirovsky. The desk entered a high alert mode — which they call “DEFCON 2” — the second highest alert (the highest is when Israel is under attack.) And started to investigate the type of the attack, its spread, location and damage.

“We sent our customers the first vaccine against the attack within an hour,” he said. The “vaccine” included IP addresses, URLs and file names which its customers were told to block. Workers at firms in Israel went into work on Friday afternoon — when companies are generally closed for the weekend — or connected remotely to install the “vaccine,” Nimirovsky said.

As the attack spread even further globally, Israel’s National Cyber Bureau started communicating with the local cyber community and convened members of the Israeli cyber forum, which gathers 250 cybersecurity experts from the public and private cyber institutions. “It was a huge conversation which began Friday evening, with everyone pitching in and talking and giving advice and analyzing the event,” Nimirovsky said.

“We all joined forces and helped to block the attack,” Nimirovski said. “It was like a war, everyone put on their uniform and helped. The cyber bureau began coordinating everything.”

The National Cyber Bureau sent out documents to all major companies in Israel and to critical infrastructure utilities and posted instructions on its website on how to prevent the attack.

It was a cooperation that worked, Nimirovski said. But luck also played a huge part in the event, he said, because most of the businesses were closed for the weekend. “What would have happened if all this had happened on a Monday morning or any other day? That is a big question.”

White Hat was monitoring the dark net to determine who is behind the attacks and was using “sophisticated means” to catch them, he said.

Erez Kreiner, a former director of information security at Israel's Shin Bet security service now heads his own cyber-security consultancy (Courtesy
Erez Kreiner, a former director of information security at Israel’s Shin Bet security service who now heads his own cybersecurity consultancy (Courtesy)

The scope of the cyberattack was unprecedented and future ones will only get bigger, said Erez Kreiner, a cybersecurity consultant and a former director of information security at the Shin Bet, Israel’s security agency. For 35 years he helped foil cyberattacks on Israel.

“The damage done by this attack is not worse than other attacks we have seen before, and is not more serious than others – the techniques and tools it uses are not different. What is different is its scope,” said Kreiner. “In future things will only get worse – the ability for such large-scale attacks exists. When they will happen again depends only on the intentions of the perpetrators.”

This attack apparently used a piece of malicious software called “WanaCrypt0r 2.0” or WannaCry, which exploits a weakness in Microsoft’s Windows. Microsoft released a patch — a software update that fixes the problem — for the vulnerability in March, but computers that have not installed the security update remain vulnerable.

What is interesting about the attack is that the criminals appeared to exploit a vulnerability purportedly identified for use by the US National Security Agency and later leaked to the Internet, said Ofer Israeli, the CEO of Illusive Networks, an Israeli cybersecurity startup.

“What we are seeing is the tip of the iceberg,” said Israeli. “The attacker was not very sophisticated and hence the first wave of the attack was stopped, even if apparently a second version has already been released. But cyber criminals can take the lethal capability that has been exposed and strategically and surgically now go after an organization in a targeted and much more damaging way.”

“I have no doubt that over the next few months, down the road, we are going to see a more sophisticated and more targeted and more devastating attack. As we speak this is already happening. We will see it only in later months,” he said.

read more:
Never miss breaking news on Israel
Get notifications to stay updated
You're subscribed
Register for free
and continue reading
Registering also lets you comment on articles and helps us improve your experience. It takes just a few seconds.
Already registered? Enter your email to sign in.
Please use the following structure:
Or Continue with
By registering you agree to the terms and conditions. Once registered, you’ll receive our Daily Edition email for free.
Register to continue
Or Continue with
Log in to continue
Sign in or Register
Or Continue with
check your email
Check your email
We sent an email to you at .
It has a link that will sign you in.