Iranian-linked hackers have targeted leading Israeli organizations in a “new phase” of cyberwarfare
Two Israeli cybersecurity firms said Thursday that they thwarted a large-scale Iranian-linked hacking operation in September called Operation Quicksand, which targeted “leading Israeli organizations”.
The alleged attack seems to indicate a “new phase” in Iranian attacks against Israel, the companies said, adding that the tools used were previously reserved for criminal operations – as opposed to destructive offensive cyber attacks by state actors such as Iran.
The allegations were made in a Profero and ClearSky cyber-firm report. Two independent experts who read the report confirmed that its findings are consistent with what is known about hacking operations related to Iran. They stated that the incident may well be the last of the secret cyber war between Israel and the Islamic Republic.
Both requested anonymity because of their ties to the Israeli defense establishment.
According to the report, a group of hackers sent malware to Israeli organizations last month.
Israel’s National Directorate of Cyberspace refused to deal with the identity of the attackers, but said the information revealed in the report “is known to us and we issued a number of warnings about them in September“.
These warnings, they said, included clues specific to the attackers, which could allow potential victims to identify attempts on their systems.
What made the attack suspicious, said Profero Omri director Segev Moyal, is that it appeared to function as a criminal ransom attack, but “the main objective was not to steal data but rather to cause damage to Israeli targets.
Data theft is often the key to ransom attacks, but in this case, “the hackers wanted to cause damage and they disguised it only as a ransom,” said Segev Moyal.
According to Fraunhofer FKIE, a German research institute that maintains a database of known hacker teams, MuddyWater (aka Static Kitten) is known to focus almost exclusively on espionage and attacks at the state level.
Although it is almost impossible to verify the identity of those behind MuddyWater and the alleged operation, cybersecurity companies have stated that their techniques are very similar to those used in the past.
For example, during the summer, an attempted attack on a number of countries in the Middle East and North Africa was reported using a very similar technique, as was an attack on Israel’s water authority .
The Israeli report noted that some key technological aspects of the hacking were identical to those used in the Shamoon cyber attack against Saudi Arabia Aramco in August 2012. This attack, attributed to Iran, was described at the time as the largest hacking attack in history.
Meanwhile, Reuters reported last week that the Islamic Republic itself had declared itself the target of two major cyber attacks – one of which later turned out to be on its ports. As a result, Internet access in Iran has been partially cut off. No further details are known.
According to Reuters, since the beginning of the year, Israel has reported attempted cyber attacks on power plants and water services, with officials pointing the finger at Iran or Iranian-backed groups.
A fire at the Iranian nuclear facility in Natanz three months ago prompted some Iranian officials to say it was the result of cyber-sabotage. Israeli Defense Minister Benny Gantz said at the time that his country was not “necessarily” behind every mysterious incident in Iran.
Tensions in the cyber arena have been high between Israel and Iran since the so-called Stuxnet attack more than a decade ago, which attempted to stop Iran’s nuclear program by attacking the uranium enrichment facility at Natanz. It is generally believed that Stuxnet was developed jointly by the United States and Israel.
According to the authors of the Israeli report, “the tension between Israel and Iran in the field of cyberspace could be an explanation” of the latest alleged attack by the Iranian group. They further hypothesize that the “retaliation” for the assassination of General Qassem Soleimani of the Revolutionary Guards last January “is another possible explanation”.