Is Iran behind a series of cyberattacks against Israeli companies in recent days? Following the attack on Amital Data last week and a string of hacks of shipment and logistics companies that were exposed in Calcalist, on Sunday hackers claimed to have breached the servers of Israeli chip manufacturing company Habana Labs, which was acquired by Intel last year.
The nature of the recent attacks strengthens the assessment that the hackers were employed by, or at the very least, linked to Iranian cyber operations, with some theories suggesting they were trying to sabotage the delivery of Covid-19 vaccines that Israel had purchased. The attack characteristics that suggest this include the fact that so far there has been no demand for ransom and that in both cases, the malware used was of the Pay2key variety, which was used in a separate series of attacks on dozens of Israeli companies and organizations, as exposed by Check Point analysts. However, it is difficult to pin down the identity of the attackers based on the malware they use since it is common for hacking groups to trade tools or upgrade the malware used by others in order to blur their tracks.
Pay2key has been associated with Iranian hackers for several months. It is a relatively new type of malware, first identified last June. While it has been linked to Iranian hackers, it is not clear whether they developed it themselves or purchased it from other developers. One of the characteristics of its use so far is that its activators tend to demand ransoms that are lower than the market standard. “
There are two types of attacks that are common to the world of cryptography,” Gal Ben David, one of the founders of Israeli cyberintelligence company IntSights told Calcalist. “There is ransomware that encrypts the attacked company’s data and demands the transfer of money to release the seized information and then there are encryption tools that simply destroy the breached data, making it irrecoverable. The second method is used for sabotage purposes and therefore believed to be used by hostile states or organizations attacking a specific company. State actors sometimes also demand a ransom because it makes the attack appear more innocent, if what you are allegedly after is money and not simply to do harm,” he added.
Ben David tends to believe that the latest string of hack does not constitute an “official” Iranian attack against Israel, primarily because of the software that was used. “Generating headlines is the last thing espionage organizations want when selecting which attack to carry out. In this case, the hackers used ransomware which made it certain that the attack would be revealed. If a state-level actor would have wanted to sabotage Israel’s vaccine supply chain, it would have made it look like a malfunction.”
They could, for example, sabotage the refrigerator systems, which are connected to sensor software, causing the program to present the correct temperature needed for storage, while the actual units were inactive, suggested Ben David. He added that “no one would take responsibility for harming vaccines, even an enemy state. I find it hard to believe that if there was an attempt to harm the vaccine supply, anybody would take credit for it. It would be hard to prove that Iran is behind it too since state agencies are good at hiding information. One of the reasons Russian hackers were discovered in the past was because of their poor use of English. Spy organizations, including the Iranians who are very good at cyber, don’t behave in such a way.”
The fact that it doesn’t appear to be a state-coordinated attack doesn’t rule out the involvement of Iranian hackers. On the contrary: “It is most likely a case of anti-zionist activism, obviously targeting Israelis. Combine that with the Check Point research that links the malware to the Iranians and you don’t have to be a genius to figure out where the attackers come from,” Ben David said.
Source » calcalistech