A Palestinian youth wearing masks used by computer hackers who attacked a number of Israeli websites recently, seen backdropped by the Temple Mount in Jerusalem’s Old City, April 8, 2013. Photo: Sliman Khader/Flash90.

CTech – Research carried out by US data protection company F5 Labs, which was obtained by Calcalist, reveals that in the past quarter of 2020, Israel has become the number one target of hackers and cybercriminals. According to the study, Israel has surpassed India, the US, Russia, Turkey, and Saudi Arabia — all countries that are at the junction of clashing international interests — at the top of the list.

Before this year, Israel was not considered a preferred target of cyberattacks. Though throughout the year it made it into the Top-5 list, this is the first time it is the outright leader, with 180,000 identified hacking attempts.

The study is based on a detailed analysis of data on honeypot traps collected between the middle of July to the middle of October 2020. Honeypots are the name given to tools that mimic attackers’ targets and allow security researchers to monitor hackers’ online behavior.

“It requires more research to determine whether the attackers are geostrategic adversaries that seek to obtain a foothold in the country or players that have no specific interest in Israel, but aim to divert attention towards it as a smokescreen for their true goals,” said Eran Arel, who manages F5’s activities in Israel.

“Even though Israel is a savvy country and home to many talents in the cybersecurity sector, what we witnessed were fairly simple attacks. It is a reminder that everywhere in the world, including in Israel, there are vulnerabilities that can be exploited to obtain a foothold, and that it is up to us to strengthen our most basic data protection infrastructure,” he added.

The report notes that the most common IP addresses identified as sources for hacks were linked to Russian networks. That said, F5 is cautious about attributing the attack directly to Russians. It wouldn’t, however, be too much of a stretch to point out the entrance of Russian hackers on the scene, particularly in light of the recent ransom attack on Israeli insurance company Shirbit, which was attributed to Russian, or at least Russian-speaking, hackers, even though the company claims that the source of the attack may have been Israel’s arch-nemesis Iran.

“Tensions with Iran, the administration change in the US, and the peace agreements between Israel and Muslim states, which many were opposed to, all increase the motivation for carrying out cyberattacks at this time,” Lior Frenkel, the CEO and co-founder of Waterfall Security Solutions, told Calcalist. “This time, however, there seems to be an additional reason behind the recent string of attacks — greed. The criminal underworld is turning to cybercrime. Ransom attacks are the shiny new method that criminal organizations are embracing en masse.”

Frenkel further estimates that the shift to cybercrime is a trend that was accelerated by the Covid-19 crisis. “Covid-19 hurt criminals too and they are looking for alternative sources of income,” he said, adding that professional and even state-level hacking tools are readily available for purchase on the darknet, including how-to manuals and guides. “You no longer need to be an expert hacker; all you need to do is rent out hacking services and they’ll do the job for you.”

“Israel is a very advanced country with a high rate of use of information technology. As such it is a clear target for ransom attacks. It is home to a wide array of potential targets from various tech companies to production facilities, financial organizations, and government agencies. The combination of political targets and financial targets helps explain the current leap in the number of attacks. The business sector must prepare for a long period in which it will be a significant target for attacks, whether the motivation is terror, extortion, or a combination of the two,” Frenkel said.

Frenkel’s assessment joins that of other cybersecurity experts. Various estimates suggest that the attack that paralyzed much of the US government’s computer network, which started with an attack on SolarWind’s IT infrastructure originated in Russia. But according to a report by Israeli cyber company Prevasio, it appears that Israel too is among the Russian hackers’ targets. In a list of targets posted on PasetBin, apparently by the hackers themselves, appear Israeli universities, an Israeli commercial television channel, and even one of the largest Israeli data security firms.

One of the most troubling scenarios is that sophisticated hacking tools, like the ones used by the SolarWinds attackers, will end up in the hands of state-level players that are hostile to Israel. That’s what happened three years ago when a NotPeya attack used ransomware to paralyze the business activities of Western companies during a strategic cyberassault on Ukraine. The malware found its way to North Korean hackers who re-engineered it for their own purposes as WannaCry and put it to use in a long series of attacks on Western targets. The accumulated costs reached into the billions, not including the ransom payments made to release the hacked computers.

When we examine the volume of successful cyber-attacks on the Israeli market in recent months — the ransom attack that paralyzed semiconductor company Tower, the attack on Shirbit, the attack on Amital, the breach of Intel’s Habana Labs, along with dozens more that were never made public — it is apparent that there is a consistent trend of making Israel a preferred target for cyberattacks.

“There is no doubt that this is only the beginning and that this is the largest attack that the world has known in a long time,” Assaf Amir, the head of SentinelOne’s Cyber research division said. “In our tracking of both state-level and criminal hacking groups, we have noted an increase in attacks on Israel.”

“On the one hand, there are state actors, mostly Iran, Hamas, and Hezbollah, who are expanding their attacks into cyberspace which allows them to escalate the conflict without the repercussions of a direct conflict with Israel; and on the other, there are cybercriminals who have increased the use of ransom attacks. In addition, we can see a trend of combined attacks, in which cybercriminals carry out attacks on behalf of states or state actors disguise themselves as criminals, which is apparently what happened in the case of Shirbit,” Amir concluded.