Israelis are — with good reason — concerned about the possibility that Iran will attain nuclear weapons. But perhaps they should be more worried that Iran will be able to take over the country’s basic infrastructure, wreaking havoc with the gas, water, and electricity systems, as well as the banking system.
“If nuclear weapons were the ‘judgment day’ weapon of the 20th century, computer infrastructure hacking is the 21st century equivalent,” said Tal Pavel, an expert on Internet usage and crimes in the Middle East.
“In some ways, the threat of hacking major infrastructure systems is even worse than the nuclear threat,” he told The Times of Israel. “Only governments can afford to purchase and deploy nuclear weapons, so you know who is attacking you and how to deal with them. But anyone can develop or buy their own super-virus, potentially capable of a cyber-attack that could shut down a country for days, create panics or riots, or release dangerous substances, such as gas and sewage, that can kill people in the victim country.”
This is a problem for Israel, too, he said, as the country’s enemies become more cyber-capable. In fact, Arab or Iranian hackers may have already gone after Israeli infrastructure systems.
Pavel was speaking in the wake of a major exposé Monday that showed how groups of Chinese hackers — almost certainly working on behalf of China’s military forces — have been systematically invading major corporations and infrastructure systems in the United States. Among the companies attacked by the Chinese hackers, according to US security firm Mandiant, were several with access to information about gas, oil, and electrical infrastructure throughout the US, Canada, Mexico, and elsewhere.
One company, Telvent Canada, had blueprint designs for more than half of the oil and gas pipelines in North and South America; it was only some quick thinking by an employee that prevented the hackers from swiping the documents.
China, of course, has denied that it was involved in any attacks on the US, and unfortunately for Washington, there is no way to prove that the Chinese government was behind the attack – although, an expert told The New York Times, which broke the story Monday, “the totality of the evidence” leaves the Chinese army as the sole suspect.
Cyber-attacks against infrastructure are nothing new, said Pavel. “Just because we haven’t heard about something doesn’t mean it’s not happening,” he said. “Such attacks take place on a regular basis, but unless you are privy to the real-time events, you can’t know if an infrastructure failure is due to a hack attack or some other reason.”
A good example of this was the recent outage at Israel’s Pelephone cellphone service provider, with service shut down for millions of customers for the better part of a day. “I don’t know if this was due to a hacking attack,” Pavel said. “Only the company knows, and of course they won’t tell. But it certainly could have been, just like the Stuxnet attack on Iran’s computers several years ago could have been conducted by Israeli and US hackers, as rumor has it. But for the vast majority of us, that will always remain an open question, just like the question of whether it was hackers who attacked Pelephone will remain open.”
Fortunately for Israel, said Pavel, the countries most likely to attack in a major cyberwar are unlikely to be able to take on Israel’s electrical, gas, and water infrastructure. “Iran, Syria, and the other likely cyber-attackers are not China, which has billions of people and high levels of computer sophistication. Nevertheless, it’s certainly possible for Iran to get top-flight training for its hackers, raising their skills to the point where they can successfully attack Israel’s considerable cyber defenses.” Or, he said, they could hire hackers who do have the capability to write viruses and Trojans that can worm their way into Israel’s infrastructure.
And even without the money, computer resources, and talent of Chinese hackers, Arab and Iranian hackers can inflict plenty of damage on Israel, said Pavel. “Just a few weeks ago, we saw how Syrian hackers were able to compromise the email system of Haaretz.” The attack, by a group called the Syrian Electronic Army, was very simple (using a password to get into Haaretz employee mailboxes), but caused plenty of inconvenience for the paper and its employees.
“With all the fighting in Syria they barely have an Internet infrastructure in place these days, but despite the unrest there these hackers were able to pull off an attack,” said Pavel. It’s just a matter of time before Iranian or Arab hackers will be able to reach secure Israeli infrastructure systems, as they grow in sophistication and capabilities, Pavel said.
Pavel, who teaches at the School of Communications of Netanya Academic College, is a prolific writer on the Internet and the Middle East. “For example, next week I’ll be speaking at the annual meeting of the Israel Internet Society on what the hacking group Anonymous does in the Middle East, especially their attacks on Israel and more recent attacks on Syria,” said Pavel.
How were the hackers able to get access to Haaretz employee accounts? The same way Mandiant said that Chinese hackers were able to gain access to American infrastructure systems — by “phishing” for victims, using a convincing-looking email and getting the victim to click on a link or open an infected document. In the case of Haaretz, victims received an email with an ostensible link to an article in The British Guardian newspaper about the peace process. But the link instead led to a hacker site, which, when connected to the victims computer, required their username and password for access. Once they typed that in, the connection was broken; the hackers had what they needed, so there was no reason to continue the pretense.
The Chinese hackers did something similar, sending an email to an employee of Telvent with a link to a document. The document, in perfect English, bore the email address of the employee’s manager. It’s only because the employee remembered the company’s policy on email links — i.e., not to click on them — that the Chinese hackers did not gain access to the company’s servers. “Phishing is a form of social engineering,” said Pavel. “The hackers search for the ‘weakest link,’ matching a message with a potential victim, using threats, rewards, fear or other psychological tactics to get the victim to click on a link or open a document that will install a virus or Trojan, giving them access to servers.”
Phishing messages, said Mandiant, are among hackers’ most successful tactics; the only way to avoid these attacks is to set policies regarding document attachments and links in emails and on non-secure websites, and to ensure that employees and their family members follow those policies, said Pavel. “Israelis in general need to be more aware of this,” he said.