allegro60 - Fotolia
Dozens of white-hat hackers gathered in a crowded conference room on the second floor of Tel Aviv’s Ernst & Young office building in early April 2016, looking to collect intelligence and disrupt “Operation Israel” (or OpIsrael for short), an annual hacking campaign by pro-Palestinian hackers loosely affiliated with hactivist group Anonymous.
Among the people there were employees of some of the top security firms in Israel, leading academics, computer science researchers and representatives of government agencies.
This was the fourth time IL-CERT (Computer Emergency Response Team) had gathered to defend against possible incursions. Indeed, every April for the last few years it has worked with the national cyber staff in the Israeli prime minister’s office, as well as units in the Israeli intelligence agency, Shin Bet, and the Israeli Defence Forces to repel the attacks.
Citizens and security researchers share information with IL-CERT, allowing it to analyse attacks in real time. During the attacks its role is to distribute information and intelligence on OpIsrael, along with information collected on the dark web, although it’s unable to provide professional guidance beyond offering a form of cyber first aid to organisations targeted by hackers.
The CERT was set up 2011 and is run by dozens of volunteers from startups, academia and industry, said Gadi Evron, CEO of security startup Cymmetria, which specialises in cyber deception solutions, and who also acts as the head and founder of IL-CERT.
Gathering once a year
“We gather here once a year, not only because of the concentrated attacks against Israel, [but because] it is a chance for all of us to see each other, as we’re all volunteers,” he said.
Evron regards the activists behind OpIsrael as terrorists rather than hackers. “Ultimately, their goal is to create media and public panic. Most of the attacks are directed to catch media’s attention,” he said.
“We gather here once a year, not only because of the concentrated attacks against Israel – it is a chance for all of us to see each other, as we are all volunteers”
Gadi Evron, Cymmetria
IL-CERT volunteers estimated that dozens of private and small businesses websites have been attacked this year, and a number had their websites defaced.
Hackers attempted unsuccessfully to attack the websites of two major banks, plus a number of company and government websites. The attackers also collected a list of Israeli soldiers’ profiles on Facebook, with the intention of defacing them.
Close the back door
Some of the automatic tools used by OpIsrael hackers to create the DDoS attacks were written by Israeli companies and contain a backdoor that allows investigators to discover the identity of the attacker.
Members of the collective witnessed cross-site scripting (XSS) attacks, SQL injection attacks, illegal acquisition of databases and the use of automatic tools to make brute force attacks on Facebook profiles.
Discount Bank shuts down overseas web access
“On the day of the event I got a message from a friend saying she couldn’t access Discount Bank’s website. After a quick check I found that the website’s elements in the cache memory were loading, but customer identification information was not, and the bank’s DNS was not recognised,” he said.
Ben Hamu learned from OpIsrael’s IRC channel that Discount Bank’s private customer website was a target for the attackers. Other checks showed the bank’s website could not be accessed from Google’s DNS servers, or from Linux terminals abroad.
“It seems that Discount Bank took the well-known approach of blocking all communication from abroad to Israel that day, which didn’t allow many Israelis abroad to access the bank’s local websites, perform actions or check their account,” said Ben Hamu.
Discount Bank declined to comment for this article.
Easy to recover
Estimates suggest the damage this year was minor, and experts say sites that have been defaced will be easily recovered. Unlike previous years, most of the attackers were juveniles, suggesting more sophisticated black-hat hackers were busy elsewhere.
“In previous years we saw more DDoS attacks, more sophisticated attacks. This year was quieter. They seem more organised, but serious Anonymous hackers are busy with other operations,” said Evron.
Guy Lotem, attack detection team leader at CyberReason, estimated that direct economic damage from the attacks was not significant. “The damages are relatively easy to recover from, and the financial damage is low,” he said.
The real cost is overtime
The real economic damage is in the overtime paid for IT professionals and the preparations for the attacks. Eli Cohen, CEO of Experis, estimated that the cost of preparing for the attack to the Israeli economy was ILS50-60m.
“OpIsrael is mainly a chance to pen-test and exercise our systems,” said Lotem. “We didn’t witness any sophisticated attacks this year, and inevitably, someone who wants to execute more complex attacks, will not do it on the day of OpIsrael.”