Steve Elwart, P.E., Ph.D., is the executive research analyst with the Koinonia Institute and a subject matter expert for the Department of Homeland Security. He can be contacted at firstname.lastname@example.org.More ↓Less ↑
While the rocket attacks launched against Israel have been in the news the last few days, there have been other, more subtle, assaults against the Jewish state. The difference with these attacks is that anyone may fall victim to them.
According to a newly released report by Norman ASA, a Norwegian-based cyber security company, a series of cyber attacks that have hit Israel over the course of the last year. The attacker is unknown at this point, but the purpose is assumed to be espionage and surveillance.
According to a Times of Israel report, the attack reached a crescendo with an attack on Israeli police computers. On the computers was found a virus serious enough for law enforcement agencies to take their computers off the Internet for one week.
Roni Bachar, head of Israeli security firm Avnet, said that the purpose of the virus was not to completely shut down the computers, but was more likely to have been to collect information from them.
“The attack was not sophisticated or complicated in any way,” he said, and neither was the virus. “But it was very similar to other data-mining attacks that we at Avnet have dealt with in recent years.”
Phony email sent to Israeli officials
The virus was delivered via an email message supposedly from Benny Gantz the chief of the Israeli Defense Force (IDF) General Staff. A tip-off that the message was not legitimate should have been the fact the e-mail came from the address email@example.com. It is highly unlikely that the head of the IDF General Staff would use Gmail for official communications.
The e-mail contained an executable file, probably named “IDF strikes militants in Gaza Strip following rocket barrage.doc … .scr,” which was packaged in a compressed file. Many people would miss the .scr executable extension because of the long file name.
Inside the compressed file was the virus called “Xtreme RAT” and a document named barrage.doc (RAT stands for “remote access Trojan”).
Decoy "barrage" document
When the compressed file was opened, it automatically ran the virus and opened up the “barrage” document, letting the user think they were only reading a news article.
Reports from other security agencies indicate that this malware appears to have been used in previous attacks targeting Syrian anti-government activists. One activist’s computer had become infected as a result of a Skype chat request from another activist. What raised the suspicion of the activist was that the fellow activist had already been arrested and could not have started the chat.
Xtreme Rat is a computer virus that is openly sold on the Internet as a remote access tool for about $125.
By studying the metadata hidden in the e-mails, the KrebsOnSecurity blog determined that the hackers could be a group of young men from Algeria, calling themselves the Gaza Hackers Team, which claimed responsibility for defacing Israeli government sites earlier this year with messages calling for “Death to Israel.”
Trend Micro, a Japanese security software company, determined that two emails were sent on Nov. 8 and Nov. 11 that primarily targeted the government of Israel. Others, however, were also sent to the U.S. Government at “state.gov” email addresses as well as “senate.gov” and “house.gov” email addresses. Other email targets included the governments of the U.K., Turkey and New Zealand.
Forensics work on the Xtreme RAT also indicates that the same person or group was behind all the attacks, since the viruses studied showed that the infected computers were commanded to report back to the same IP address.
The hackers initially had the infected computers report back to servers located in the Gaza Strip, but later had them report back to servers in the U.S. and U.K.
The attacker has not been identified, but Aviv Raff, CTO of Seculert, an Internet security company that also has been studying the attacks, believes that the perpetrators could be Hamas hacktivists.
This new development demonstrates how cyber warfare has moved beyond the capabilities of a nation-state such as China and Russia. It is global in scope and available to anyone with a moderate amount of computer skills.
Intelligence agencies have a new challenge awaiting them. Up to this point, their attention has been trained on large entities that have endless monetary resources at their disposal. These were the same countries that were perceived as threats to the West during the Cold War. The discovery of this latest operation, however, demonstrates how easy it has become for a small group, or even an individual, to execute a cyber intelligence operation.
Thanks to relative ease of acquiring a remote access virus, an attacker doesn’t need large capital requirements to conduct a series of targeted attacks. RATs traditionally had been associated with Chinese-based attackers, but this latest attack shows that other, smaller, groups can utilize these tools as well.
You can help protect your computers from cyber attack by taking the following steps:
Enable a firewall. Microsoft has instructions available on the web for turning a firewall on if it is running Windows 7, Windows Vista or Windows XP.
Make sure your computer has the latest updates. You can have your computer automatically update its operating system if you are running Windows 7, Windows Vista or Windows XP.
Do not open attachments in e-mails from people you do not know.
Do not download pirated software (not only is it illegal, but if your computer is infected while downloading pirated software, who do you report it to?).
Use strong passwords. A strong password is one that has at least 15 characters with numbers and symbols combined. You can make up your own, or you can automatically generate one. You can also make up a password phrase. For example, you could use the phrase, “I would like 2 green eggs and ham!” The password phrase would be “Iwl2geah!” (without the quotes). Never use words like your mother’s maiden name, your pet’s name, etc.
In conventional warfare, “The generals are always preparing for the last war” – the same also holds true in cyber warfare. Many corporations and individual users are trying to protect their systems from existing threats alone, with no thought being given to the new threats that are out “in the wild.”
The cyber threats that are attacking governments and multinational companies can now also be used to bring anyone’s computer to its knees.