Analysis: On the Fallout from the Amital Cyber Attack. Tracking Bitcoin Payments Back to Iran

In late 2020 someone carried a major hacking attack on Israeli supply and logistics firms. Worse, it wasn’t a ransomware attack demanding money but simply to obtain information, and this series of attacks was very successful. The attackers first penetrated Amital Data, an Israeli software developer that supplies specialized software to firms that distribute goods. This includes airline cargo sales agents, customs brokers, freight forwarders and shipping agents. Among the data stolen was a list of Amital customers, including login data. With this the attackers were able to hack 40 or more Amital customers. This may have made it easier to hack into twenty or more non-Amital customer logistics firms. The goal of this campaign, which is still ongoing, was to get an accurate picture of the military supply chain as well as firms that would be key to hit in wartime in order to disrupt the entire civilian economy. No one took credit for these attacks, which indicates it was Iran as they have been planning major attacks on Israel for decades but were never able to carry one out.

By early 2021 the fallout from the Amital attack, which allowed a lot of other key firms to be quickly hacked, was being felt in Israel. Many of these later attacks are ransomware. Several Israeli firms paid the ransom and Israeli intelligence tracked the bitcoin payments back to Iran. This, as suspected, indicates that Iran is responsible but wants to monetize this advantage as much as possible before going into full-gloat mode. Another reason for the delay in claiming credit is the need to judge the degree of anger in Israel and possible extent of any reprisal. Israel has a well-established reputation for taking revenge on those who attack them. For terrorists this revenge are often Mossad (Israeli foreign intel) agents quietly and patiently hunting down those responsible and killing them. Iranian hackers, and foreign hackers working for Iran are aware of this risk.

One thing Iran has publicized is that has been trying to wage Cyber War attacks on Israel but until late 2020 all the Iranians were able to do was confirm that Israel had a formidable Internet defense capability. Iran knew that Israel established a separate CDU (Cyber Defense Unit) within its C4I Corps back in 2016 but was not deterred by that new defensive operation. Now Iran has a better idea. This all began earlier in 2020 when Israeli network security monitors discovered someone trying to hack their way into municipal water supply networks. This soon involved the C41 Corps, which is responsible for protecting the civilian Internet connections that enable the civilian economy to supply what the IDF (Israel Defense Forces) needs to operate, especially in wartime.

CDU spends most of its time assigning its Red Teams to try and hack this infrastructure as well as the purely military networks. CDU has learned a lot about network vulnerabilities and how to fix them. In response to the Amital disaster CDU is working with the victims and, firms that were not hit to improve cyber defenses. This includes using a multi-layer defense and better intrusion alert systems. CDU also assisted in checking the networks of Amital victims to determine if the hackers left anything behind that would make it easier to quickly launch a crippling wartime attack. CDU knows that a major problem in peacetime is motivating commercial firms to invest in better network security. Now everyone is eager to hear what CDU is advising for them and cooperate with a nationwide effort to improve security throughout the Israeli economy. Most of the time CDU concentrates on improving cyber defenses for IDF networks, but even before the Amital attacks commercial firms were warned that they were vulnerable, especially since it was so difficult to get into IDF systems.

That applies to friends as well as foes. CDU was involved when Israel got into a dispute with the U.S. over access to the source code to the extensive software that makes the F-35 stealth fighter so effective. Details were never released but it is known that CDU red teams go over software provided with any foreign military equipment Israel buys. This has always been the case with submarines purchased from Germany and various smart bombs and other gear purchased from American defense firms. The F-35 was a special case because the aircraft was so dependent on its unique software. Apparently, CDU found some interesting vulnerabilities and a solution was quietly worked out.

The new Iranian threat became visible earlier in 2020 when Israeli network security monitors discovered someone trying to hack their way into municipal water supply networks. This soon involved the C41 Corps, which is responsible for protecting the civilian Internet connections that enable the civilian economy to supply what the IDF needs to operate, especially in wartime.

The early 2020 Iranian probe did not do any damage but CDU identified it as the kind of probe that is done in preparation for developing a major attack plan. For that strategy to work these probes are not supposed to be detected. Having your probes detected puts the target on alert and removes any Iranian hope of carrying out a surprise attack. C4I Corps had its offensive team deliver a message to Iran. This response was not announced but was apparently the cause of the subsequent collapse of the network that ran one of Iran’s major container ship ports. Traffic in and out of that port were stalled for days. Iran denied it happened but commercial satellite photos, and complaints from crews of foreign ships caught in the aftermath, as well as local truck drivers, confirmed the halt in port operations was because of a “computer problem.”

Once Iran had received their warning, CDU double-checked network security throughout the civilian supply chain the military depends on for timely delivery of supplies in war and peace. Iran was suitably warned to back off but C4I knows they won’t. Iran was still seeking revenge for the damage STUXNET did to their nuclear weapons program a decade ago and subsequent, often very similar, Israeli attacks, both known and unknown. If the Amital attack was Iranian it represents a new level of achievement for Iranian hackers. That might also mean that the Amital effort was carried out by one of the various criminal hacking organizations that avoid any publicity and quietly sell what they steal to the highest bidder. Iran has been a customer of these hacking gangs in the past and may have let it be known that they would pay-top dollar for successful attacks on key Israeli targets.

Ever since STUXNET Iran has been desperate for a win in the Cyber War department and has so far been disappointed. The Iranians keep trying and they keep developing new skills and tools, so C41 and CDU have to be even more alert. If Amital was a turning point for Iran, the Iranians were not issuing any of their usual press releases. Then again that is typical of the most devastating attacks, especially those that kill a lot of Israelis. The problem is the Israelis make an effort to find out who was responsible and deliver retribution, often in the form of assassination teams that quietly hunt down and kill those responsible.

Knowing that Iran, and a lot of Moslem majority states, were seeking to penetrate Israeli networks, Israel developed world-class Internet defenses and offensive capabilities over the last two decades, as the Internet became more of a key factor in the global economy and military operations. This was done quietly and details did not become known unless someone attacked Israel.

The C4I Corps, before 2003 the Teleprocessing Branch, is another post-2006 War (with Hezbollah) reform that merged communications and computer operations into one organization that provided both those services throughout the armed forces. The solution was new technology and procedures. Since 2006 Israel has built a new communications system that is faster and able, according to Israeli claims, to hit a lot more targets than the 2006 era forces could manage. Much of the solution had nothing to do with radical new hardware but to simply standardizing the procedures everyone had long used to call for fire or to deliver it. Now commanders at all levels can see the same data and call for and receive fire support quickly in addition to everyone seeing the same information. When a target is identified the bombs, shells or ground attack follow quickly. Everyone was shown how easy and damaging it was to underestimate the enemy. In training exercises, the “enemy” is controlled by Israeli troops with ordered to be imaginative and try real hard to not get spotted and hit. It’s been amazing what these “enemy” troops come up with, and necessary to keep this secret so that the real enemy does not find out. This made it clear to Iran that hacking Israeli Internet security was a worthy goal. For Israel a successful cyber attack by Iran was seen as more a matter of when, not if. More than most other Moslem nations Iran has a better educated population and an eagerness to develop new tech not found in most Arab states. As with previous conflicts, Israel will take these recent hacks as a defeat to be learned from and eventually respond to.

Strategy Page – News Monitors

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s