23 July 2018

Hamas preparing for cyber war

Tal Shahaf

Israel has been facing incendiary kites and balloons for months along the Gaza border. A land device has been developed against terror tunnels, terror sea vessels have been blocked by a marine obstacle, and some method of countering terror balloons may also be found. At the same time, however, in the digital sphere, Hamas is trying to develop cyber capabilities that will enable it to attack Israeli civilians without having to encounter a physical barrier. In recent weeks, a series of attacks aimed at Israeli citizens and IDF soldiers has been revealed. These attacks, which bear the fingerprints of Hamas hackers, were neutralized, but it can be assumed that they are only the tip of the iceberg. They will probably recur, while utilizing far more technologically sophisticated means. Next time, they will be aimed at Israeli institutions and organizations, as well as civilians. 

Last month, ahead of the opening of the World Cup in soccer, a free application named Golden Cup was offered in the Google applications store. This application offered live reports from the World Cup with great pictures and clips of unforgettable goals. The application appeared to be innocent, but those who installed it unwittingly became a source of very valuable information to Hamas: all of their calls were recorded, all of their files were stolen, their identities and locations were recorded, and the writers of the application were able to operate the microphone and camera at any time and record their surroundings without their knowledge. Assuming that many of those who downloaded the application were soldiers, this information is liable to be of dangerous security significance. 

Hamas hackers: Still neglectful 

The people who examined the application and caused its removal from Google's servers were Roy Larchy and Eyal Rynkowski, researchers from the Symantec company's laboratory in Tel Aviv. Larchy, who heads the mobile security research team at the company, says that the application was spyware that was put in the store by bypassing Google's testing systems. The method is simple: the application uploaded really was innocent and did what it was supposed to do, but after it was installed by the user, it activated an updating process that loaded the attack mechanisms into it. "The application was able to do anything you can imagine," Larchy says, "record calls, record everything happening near the device, use a camera to photograph image sequences, upload particulars of liaison people, gather all the SMS messages, upload pictures and films, load files sent by the operator, report on GPS location and identify the telephone number and telephone owner." 

According to Larchy, the connection between the application and Hamas's hackers is clear. The structure of the communications with the server is the same as what was found in earlier applications originating with Hamas, for example, a phony dating application that the IDF exposed two weeks ago. "This is a follow-up campaign," he says, adding that it will not be the last of its kind. "The application was distributed through Facebook to a broad audience of Israelis, not just soldiers. We found it in companies that aren't necessarily connected to the army." In professional language, this is called "social engineering" - persuading surfers on the social networks to install attack espionage tools masquerading as innocent applications. 

Symantec's researchers describe the hackers' work as negligent, which made it easy for them to detect that a fraud was involved. For example, the company website was set up one day before the applications was distributed and contained no significant content. Furthermore, the amateurish construction of the application made it possible to easily discover its purpose. In addition, the hackers made a fatal mistake: the server to which they uploaded the stolen files and recordings remained open, enabling the researchers to reach eight gigabytes of data stolen from the telephones of hundreds of Israelis. 

The Golden Cup application has been deleted, but Larchy is convinced that it will be followed by more sophisticated and focused ones. Symantec's personnel have work connections with civilian and military cyber defense units and are sharing information and work methods. Eli Amar, CTO of the Computer Emergency Readiness Team (CERT) in the Prime Minister's Office, said at a recent conference on the subject that the solution for cyber attacks is information sharing between all those dealing in information security, and that they should all act together to increase readiness for attacks. It can be assumed that whatever Symantec knows is also known to the National Cyber Bureau, plus a great deal more. 

Hackers from Iran: Attacking business infrastructure 

Yaron Edan, a cyber expert, owner of Edan Worldwide Cyber Security, and head of the cyber studies department at the Institute of Technology and Innovation, says that the investigations that he is conducting show that cyber attacks against Israel by terrorist groups are a fact. The target is no longer shutting down or defacing Israeli websites - actions that are irritating but cause no concrete damage and do not require technical know-how. "The phenomenon is widespread and the cyber dimension has become a battlefield for all intents and purposes. There are attacks by Hamas groups in the Gaza Strip, and not only by them, and they are aimed in two spheres: the personal and the commercial. We're seeing an increase in this phenomenon on the social networks, which I also see as a battlefront for cyber attacks." 

Edan says that Hamas's hackers are from achieving the offensive capabilities of countries. The Chinese are considered the leaders in offensive cyber capabilities, which are usually directed at economic and financial institutions. The Russians attack political systems with less focused capabilities. What may be of special concern to us is that Edan says that the Iranians are developing advanced offensive cyber capabilities, although these are not being aimed at Israel at this stage. "In contrast to Hamas, Iranian attacks are not sporadic; they are organized and militant with clear targets of business infrastructure, defense agencies, and semi-defense organizations," he says. 

Is Iranian technology liable to leak to Hamas? Edan says that at this stage, Hamas's technological capability is very basic, but this is definitely liable to change. "They can develop capabilities using tools on the dark net and even on the ordinary Internet, which is loaded and available - anyone can buy cyber tools on it. There are no limits and there is definitely leakage." 

The private companies are not alone in the effort to deal with the problem. The IDF is also operating a cyber defense system. Reports are occasionally published about certain aspects of its work. In January 2017, the IDF revealed that Hamas had tried to gather information about soldiers through phony identities on the social networks. In January 2018, the IDF information security department began to receive inquiries from soldiers about suspicious activities on the social networks. This led to Operation Broken Heart, which blocked a dating applications offensive. The Israel Security Agency (ISA) is also active in cyber monitoring and defense, but they refused to comment on any aspect of this activity. 

National Cyber Authority: Business as usual 

Israel is aware of cyber threats and previously founded the National Cyber Bureau to cope with them (responsible for preventative actions) and the Cyber Authority (responsible for setting policy). These two agencies were united into the National Cyber Directorate, headed by ex-ISA man Yigal Unna. All of the official parties we asked avoided giving a direct answer in the matter. The general message they gave was that amateurish penetration attempts were involved and that the existing systems could neutralize them with no effort. 

It appears that the official agencies are worried less than the private concerns about Hamas's cyber capabilities, at least outwardly. They are convinced that the attacks on Israelis are part of a global phenomenon of cyber attacks using impersonation applications and the social networks and that the Palestinians have no special or dangerous capabilities. The way to defend is to simply remove suspicious applications, not give them the authorizations they ask for, and to ask the National Cyber Authority for alerts and assistance if necessary. 

A reputable source in the Israeli cyber sector familiar with the offensive cyber sphere says, "Hamas does not have the capabilities of a power; it has only the beginnings of capabilities. But they are making efforts, using mainly tools that they download from the Internet, and their successes are a fact. They know how to make people click on all sorts of links, download all sorts of things to their computers, and to break into systems that have not updated their servers." He adds that it is possible that the source of the attacks is neither the Gaza Strip nor the West Bank, which share their Internet infrastructure with Israel, making it very easy to track attackers. It is very likely that foreign Hamas cells are involved. 

Every offensive campaign has an overall goal, and an analysis of the attack patterns and a cross-section of the people targeted can lead to its exposure. What then is the overall goal of the current attacks? The sources we consulted shrugged their shoulders when asked about it. If the responsible authorities have information on the subject, they are not sharing it with the public at this stage.

No comments: