Over the past two months, we experienced several cyber-attacks here at the Alma Center, in which Iranians masqueraded as well-known researchers from Israel, England, Saudi Arabia and the USA, to infiltrate our information systems.
Except for one case in which the hackers impersonated the Saudi G-20 Summit secretariat, Dr. Hossa Al-Mutair, and invited the writer of this article for an alleged summit in Riyadh, in every other case, reports were sent to us, some of them original reports stolen from fellow research centers on which we were asked to provide our opinion. Providing opinions to one’s colleagues on their research reports is a common practice amongst researchers, so when we received a report from such a well-known researcher, we were flattered, and immediately responded to the request. The dialogue with the attackers was via email and WhatsApp messages, the attackers using authentic images and electronic signatures of those whose identities were stolen.
Why do the Iranians attack research centers? Why bother stealing information that was already published? What are they trying to achieve? In general, it can be said that cybernetic campaigns can have three objectives: infiltration to obtain intimate information, damage software systems, and impact public opinion.
In our case, we found evidence of an attempt to obtain information, and it is possible that the attackers believed that receiving our intimate opinion on research material that was stolen from another research center, will reveal to them “how Israeli intelligence officers think”. The Alma Center, despite being a completely independent, non-governmental organization, is considered a “research center of the Zionist entity” by Iran, as is the INSS, the research center whose report was stolen from. According to the Iranians, former IDF officers are still affiliated with the IDF, and obtaining access to them is worthwhile.
Another incident was when a report was sent to us seemingly by Barbara Slavin, director of the Future of Iran Initiative at the Atlantic Council’s South Asia Center. The report, on American policy towards Iran, appeared highly authentic. Only after the Iranians used this tactic against the Alma Center again, did we realize that this report was a cyber-attack as well, and may have even been an actual report stolen from Slavin without her knowledge. After realizing this a few months too late, we learned that the cybernetic battlefield is not solely Israel’s and Iran’s , but rather a global one, in which this Iranian tactic is used against international entities as well.
Fortunately, we have not discovered any evidence of damage to our information systems. However, regarding the attack’s influence on us, the feeling that a stranger is creeping around your “bedroom” and inviting you to a summit taking place in a country with no foreign relations with Israel, undoubtedly left us sleepless for several nights and caused us to allocate several solid work days to research the issue.
What is interesting is that cybernetically speaking – the attacks were not very sophisticated. The attackers utilized fairly simple cybernetic and technological tools to allow them to steal passwords upon their entering by the user into fabricated Google pages. And yet, the level of sophistication physiologically-speaking, was extremely high. The attackers understood how we think, why and how we would respond, and what would not arouse our suspicion. The feeling that someone in Iran knows and understands us this well is somewhere between flattering and outright disturbing…
In general, there has been a significant increase in Iranian cyber-attacks on targets in Israel, in particular and in the west in general, and the COVID-19 crisis may have played a role as well. Cyber-attacks are inexpensive, allow ambiguousness, and according to Guy Mizrachi, vice president of “Rayzone Group,” staying indoors encourage ingenuity amongst the attackers.
Just last week a cyber-attack occurred on about 40 Israeli companies associated with Israel’s logistical supply chain (imports and exports). It should be noted that some of these companies are responsible for the supply and distribution of COVID-19 vaccines. The suspicion is that the attack was launched to obtain information.
The cyberworld has become an inseparable part of the Campaign Between Wars between Israel and Iran. Israel is not the only one waging this war (primarily on Syrian soil using kinetic means), but Iran is as well, using also cybernetic methods. Boaz Dolev, CEO of “ClearSky Cyber Security”, explains that the Iranian attacks occur on three levels: the first is personal attacks on researchers (as is the case of the Alma Center) carried out by the known Iranian cyberwarfare group “Charming Kitten”. The second, phishing attacks on Israeli companies’ computer systems, including the financial sector, in which the Iranians demonstrated capabilities that have improved over time, for example, the “Muddy Water” hacker group, that succeeded in infiltrating dozens of Israeli companies over the past year. The third level is attacks on national systems’ infrastructures, like what happened last May, when Iran attacked Israel’s water infrastructure. Luckily, Iran’s capabilities in this field range from low to medium, allowing Israel to efficiently protect these infrastructures from damage.
What prevents Iran from executing much more destructive cyber-attacks? How have system-paralyses not occurred until now?
There are several explanations, according to Limor Kessem, a senior security advisor in IBM: First, Israel’s defense capabilities are among the highest in the world. Second, proportionality and deterrence are taken into account, as is done in the kinetic world of the Campaign Between Wars. Here too, the two sides take precautions from executing attacks that will bring dangerous retaliations.
To conclude, cyber security companies are an extremely important layer in the wall of defense in the cybernetic sector. However, the user ultimately plays the most vital part; awareness and careful attention are the soundest defense against hostile cybernetic activity.
To learn more about the Iranian cyber threat and the latest attacks in Israel, join us next Tuesday, December 22nd, 2020, at 8 pm IST, 1 pm EST, for Alma Center’s webinar “The Iranian Cyber Threat.”
The article was written with assistance of Konfidas, cybersecurity company.