4 August 2018

Israel is under massive Chinese, Russian cyber espionage attack

Ronen Bergman

A look at one of the most secretive units of the Israeli intelligence community— the Shin Bet’s counter-espionage division, which was responsible for the arrest of former minister Gonen Segev—one of many cases of Tehran's infiltration attempts. However, it turns out that the Iranians are actually the least of Israel's problems. A few months ago, "Ophir," a senior official with a rich intelligence background turned private cyber security expert, was called back to duty. The mission: Ophir and a team of experts were asked to examine the security of some of Israel's main computer systems. A few systems were defined as "strategic," others of lesser importance. But since less time and energy is spent on protecting these secondary systems, it can make them even more vulnerable to infiltration. The investigation team was put together by one of Israel's governmental intelligence and information protection agencies. 

The idea was to have someone from the outside—a fresh pair of eyes—look at these systems and identify "holes" and problems that may have gone unnoticed by the regular cyber security team. 


"The Shin Bet’s counter-espionage unit has never been busier," Ophir was told.

"We believe Israel is under a multi-frontal attack, a significant threat to our national security. Some of the spying is classic, like it used to be: living agents recruited for personal gain or ideology. We know how to deal with those. But some attacks are being carried out by other means, less visible and clear."

The immediate suspect in the attack, according to Ophir, was Iran. The international boycott against the Islamic Republic forced Iran to build its own communications and encryption systems. To that end, Iran set up an impressive network of cyber institutions and engineers, and greatly improved its capabilities of stealing technology, hacking into data bases and planting viruses.

For years now that Israel’s intelligence community has been seeing many attacks by Iranian intelligence on Israeli computers. The question is, of course, what it doesn't see, where the breaches in the walls are, and what roles do Hamas and Hezbollah play.

Ophir's team went to work and began to examine computer infrastructures and servers of some of the main administration bodies in Israel, a large proportion of which—as previously mentioned—are civilian.

When the results came, says a person familiar with the subject, Ophir was dumbfounded; he could not believe his eyes. "He said there must have been a mistake…that something was wrong with the data, so they went and checked again, and it turned out that everything was correct." Other experts who examined the report reached similar conclusions.

"I've been in cyber defense for many years and I’ve never seen such a thing," Ophir said during a meeting to present the report's conclusions. "Many computers are infected, including computers in schools, hospitals, the Ministry of Interior, national infrastructures, and more—all infected with malwares (malicious software), including sub-families of malwares—which are the most sophisticated in their operation and form of infection." 
Researchers were surprised to discover that some of the malicious software was found deep inside central computer systems, not just on personal desktops used by the government as expected. The mainframe systems are much more difficult for hackers to penetrate. 

"The person behind this activity turned it into a form of art," says the source. "This entity has no problem investing tremendous resources and manpower. It's not someone's hobby, and it's not two, three or four units that are responsible for these attacks. It is a country investing whatever it has in these attacks. "

Ophir's team estimated that the manpower required for these cyber attacks against Israel is in the hundreds of people. It's a lot even for a country. 

"To write good malware code, you can use Darknet, where you can find 60-70 percent of what you need," Ophir explained in his report. "But the rest must be tailored to the computer you want to hack. Writing that 30 percent is a tremendous effort, not to mention the need to receive the vast amounts of information gathered in this effort ... Whoever did this wanted to know everything about us, to strip us bare."

At the end of the discussion, another bomb was dropped: according to Ophir's team, all these malicious programs were not from Iran, or Hezbollah, or Hamas.

Whoever is responsible for what is defined as "the disease that spreads everywhere—to all organs of the Israeli cyberspace" is a completely different, much more powerful player and, according to an Israeli intelligence source, far more dangerous than anything we’ve ever known.

Two months ago, when the arrest of former minister Gonen Segev on suspicion of spying for Iran came to light—an espionage case that preoccupied Israeli intelligence for years and that only few were privy to—it was revealed that one of the most secretive units of the Israeli intelligence community, the Shin Bet’s department for counter-espionage, worked the case. 

Shooting in all directions 

Segev, who was accused of espionage and assisting the enemy in its war against Israel, is only the tip of the iceberg in the Iranian efforts to establish secret intelligence infrastructure in Israel. 


Tehran sees Israel's intelligence successes against it and other members of the "radical front" (which includes Syria, Hezbollah, Hamas and Islamic Jihad) and tries to produce its own intelligence collection effort against Israeli targets. In the meantime, in this secret war between Tehran and Jerusalem, the Iranians have mainly managed to recruit people whose access to secrets is limited, including—if indeed the allegations against him are true—Gonen Segev. 

Segev was an Israeli minister in the early 1990s, and was later convicted of attempting to smuggle 32,000 ecstasy pills into Israel, and was sent to five years in prison. After his release, 3.5 years later, he left Israel and moved to Nigeria. 

However, the golden rule of intelligence work is "you only know what you know." Therefore, the working assumption of the counter-espionage unit is that the Iranians may have succeeded in recruiting and operating assets with high access to sensitive Israeli secrets. 

The Iranians operate two major intelligence organizations against Israel: the first is the Quds Force, the special unit of the Revolutionary Guards commanded by Qasem Soleimani, which aims to "export" the Islamic revolution to other countries and harm those who try to thwart the Islamic revolution. 


Quds Force commander Qasem Soleimani (Photo: MCT) 

The second organization is the Ministry of Intelligence of the Islamic Republic of Iran (MOIS), which bears a resemblance, to a certain degree, to the Mossad. Similar to the Mossad, the MOIS has branches all over the world, and it is this organization that recruited some of the agents operating in Israel. 

"The Iranians are shooting in all directions," says an intelligence source who is familiar with the details of the Segev affair as well as other published and unpublished Iranian attempts to recruit Israeli assets.

In other words, according to the source, the Iranians are recruiting as many assets as they can, high quality targets like Segev, and minor targets, like Palestinian agents who have little to contribute to the Iranian organization.

About a decade ago, an unusual incident took place known in the intelligence community as a "walk-in"—a person who willingly walks into a foreign country's embassy or intelligence agency, without prior contact or recruitment, and offers his services as a spy—when a man, whose identity is still confidential, walked into the Iranian intelligence office in Istanbul and divulged information about those he claimed were officials in the Israeli defense establishment. 


In most cases, walk-ins are considered by intelligence agencies as unreliable sources since they might serve as their government's mouthpiece and plant false information.

However, it seems that the heads of the Iranian intelligence branch in Istanbul thought correctly that they had nothing to lose and listened to what this man had to say. In the end, the damage the walk-in caused Israel was minimal. 

In 2013, the Shin Bet issued a severe warning to Jews visiting relatives in Iran, against the Iranian Intelligence Ministry’s activities at the Islamic Republic’s consulate in Istanbul. The Israeli agency found out that the Iranians used the Persian Jews' dependence on visas to Iran in order to recruit them as agents.

The damage in this case was also minimal, and the few cases that the Shin Bet exposed did not justify an indictment, so the suspects walked away with just a warning.

Although the information gathered by Iran in these cases was scant, these attempts and others demonstrate the Iranian efforts to infiltrate Israeli intelligence. Most of the effort is focused on gathering ''positive intelligence"—i.e., obtaining information about potential targets, order of battle, location of important individuals, etc. This was the case with Ali Mansouri.


Ali Mansouri 

According to the Shin Bet investigation, Mansouri lived in Iran until 1980. He later moved to Turkey and tried his luck as a businessman until 1997, when he was granted a Belgian visa. In 2007, he returned to Iran and resumed his business endeavors. Five years later, he was recruited by the Quds Force as an operative agent against Israel.

Mansouri changed his name to Alex Manes and in 2013 set out with his Belgian passport to Israel on a mission to gather information on embassies and top secret Israeli facilities. He was tasked with establishing a business infrastructure that would serve as a front for Iranian intelligence activities. Therefore, part of his mission was to establish business connections in Israel and take on long-term projects that would warrant a long-term say in Israel.

Mansouri received generous funding, used his windows and roofing business as a front, and tried to establish contacts with Tel Aviv business owners. To help establish his cover story, he even posted a Facebook profile picture of himself with Tel Aviv as a backdrop. When the Shin Bet arrested him in 2013, they found photos of various sensitive sites in Israel, including the American Embassy building. 

In January 2018, the Shin Bet uncovered a cell operated by the Quds Force out of South Africa under the command of Muhammad Maharmeh, a computer engineering student from Hebron. Maharmeh, according to a Shin Bet investigation, was recruited by a relative living in South Africa. Among his missions were the recruitment of an Israeli-Arab citizen responsible for photographing Israeli territory and the collection of Israeli money and SIM cards—to be used in future Iranian intelligence operations. 

Africa, an area where Iranians feel comfortable to operate in, is also featured in Segev's story. This time it's Nigeria. According to one version, it was the Iranian Intelligence Ministry that approached Segev and asked for a meeting under the guise of an official meeting concerning agriculture and water. According to another version, Segev was the one who initiated contact. 


Gonen Segev in Nigeria 

A Shin Bet investigation revealed that Segev visited Iran twice, making it difficult for him to argue that these were mere business trips. His defense team is arguing that Segev updated the Israeli intelligence community and even offered his services as a double agent, but Shin Bet officials flatly reject these claims. 

What really happened? The court will decide, but what is certain is that Segev did not inflict serious damage upon Israeli intelligence, for he hasn't been in touch with the circle of decision-makers in two decades. 

All of this, of course, does not diminish the severity of his alleged acts—if he is found to have indeed committed them. But these and other cases do point to two important facts: one, the Iranians are indeed trying to infiltrate Israeli intelligence. And two, according only to the cases that have seen the light of day, Iran's success in these endeavors has not been great. 

The bigger threat: Russia and China 

"Today, the Shin Bet is facing more significant challenges," says a former division commander. These challenges are called China and Russia. In recent years, these world powers countries have been trying to attack Israel in a variety of ways, in a manner similar to those carried out against other Western countries. 

The Russian hacking into the servers of the US Democratic Party and the publication of US data stolen by WikiLeaks are regarded as some of the events that paved the way for Donald Trump's victory, and it is now at the center of an FBI investigation led by special investigator Robert Mueller, which is dealing with alleged ties between the Trump campaign and Russian intelligence in the time leading up to the 2016 presidential elections. 


The spyware used by the Russians in their international attacks was developed by two Russian hacker groups, dubbed "Fancy Bear" and "Cozy Bear," who are believed to be associated with two Russian intelligence organizations—Russian Military Intelligence (GRU) and the Russian Federal Security Service (FSB). 

"The bottom line of Russian espionage is quite clear," says Holger Stark, deputy editor of Die Zeit and one of the most well-known journalists in Germany (who also teamed up with Yedioth Ahronoth on several investigative stories). 

"The Russians take everything they can and circulate spyware in very large attacks, across the entire global web, in order to infiltrate as many places as they possibly can," says Stark. "The principle: more attempts—more success. Only in few cases they look for a specific target and execute a tailor-made attack." 

Stark said this after one of the Russian "bears" was discovered on the servers of the German parliament, and massive amounts of information was stolen. The information is yet to be published, apparently for two reasons: First, German diplomats and politicians were simply too boring for the Russians, since they couldn't find anything juicy enough to publish. 

Second, the German government unequivocally warned Russian President Putin that it would not tolerate the publication of these materials. These "bears," which have also been discovered in Israel, are just an example of the transformation counter-espionage warfare has undergone. 


Russian FSB building (Photo: AFP) 

Accordingly, about two years ago, Israel's counter-espionage unit has undergone a major change: "The pursuit of the classic spy wearing a black raincoat is no longer relevant," says a former unit chief. "The environment has changed, the methods have changed, the enemies are no longer the classic enemies, or at least not only them. The unit had to go through a significant change."

The adversary targets map has also grown considerably: Spies not only seek to gather information about the IDF's secret weapons and order of battle, but they also, for example, try to influence democratic government processes.

Many countries around the world invest enormous resources in these fields, "and the reason behind that is clear," the former unit chief adds. "The US and the Soviet Union invested a crazy amount of resources in preparations for war and in building armies and huge missiles fleets. Today, with a much smaller investment, you can get a material that is a lot more significant." 

"So it's true that when you hear about thousands of people being recruited for the different cyber divisions of Russian intelligence, it sounds like a lot to us, but you have to remember that when you compare this to investing in real armies, it's nothing," he concluded. 

"In today's world, the thought that Gonen Segev was recruited sounds lame, like Gonen Segev himself," says Dr. Nimrod Kozlovski, a lecturer and coordinator of cyber studies at the School of Business Administration at Tel Aviv University.


Gonen Segev (Photo: Yariv Katz) 

"What real value is there to someone like Segev? Today, the alternative to classic intelligence gathering, mainly in China and Russia, is a listening device made by Chinese companies (called 'backdoor' or 'Logicbomb' in intelligence jargon) that can be planted inside communications equipment, and since it is a part of the equipment itself, it is very hard to locate. In this way, you can reach the phones of senior officials and plant the device on the switchboards themselves," adds Dr.Kozlovski.

Such espionage is a threat to Israel. A former security officer at a private Israeli company explains: "Because Israel outsources a large part of the Israel defense establishment's activities to private companies that develop classified systems, sometimes it is not necessary to reach the tip of the missile or the system that operates it." 

"You can target the logistics or marketing personnel in the company that manufactures the system, or the academics and hi-tech employees who are not on the front line and do not see themselves as targets for attack," the officer said. 

In the past couple of years, at the direction of the Shin Bet, security companies have started implementing various measures against Russian and Chinese espionage in Israel. The Shin Bet prevented a large Chinese telephone company from participating in a tender to supply infrastructure to communications systems in Israel. 

Some Israeli security companies have banned their employees from using Chinese phones after it was revealed that the Indian prime minister's servers, provided by a Chinese company, were infected with sophisticated viruses. 

The agency behind the planting of these viruses was interested not only in security matters, but also—and perhaps mainly—diplomatic, economic and political secrets. 

These days, governments abroad are investing a great deal of effort to prevent such foreign infiltrations into political processes. 

In their meetings with Israeli colleagues, foreign intelligence personnel talked at length about their concerns regarding Russians and Chinese use of intelligence gathering in order to influence the democratic process in their countries. British sources claimed, for instance, that these attempts had a significant impact on the results of the Brexit referendum.

The Shin Bet refused to cooperate with this article, and so they did not provide an answer to the question of whether attempts to influence politics and politicians in Israel were discovered; but what is true abroad may also be true in Israel. 
The first link 

To manage these new challenges, the Shin Bet's counter-espionage unit started recruiting manpower from various fields that were not considered necessary in the past: economists, computer engineers, hi-tech employees, and, in short, all those who know how to deal with the new threat. 

But even today, Russia and China are still trying to collect information through more classic channels. In recent years, for example, there have been quite a few attempts to penetrate Israel through Israeli industries and academia. Through academic staff members, intelligence agents can get a direct channel to decision-makers—politicians, or senior officials who whisper into politicians' ears. 

In recent months, the Shin Bet's counter-espionage personnel have held lectures to increase awareness and explain the current threat in factories, companies and academia. 

The Shin Bet personnel presented examples of seemingly innocent inquiries made by one research institute or another. "You may be asked to travel to foreign countries for some conference, and then even get a scholarship... Someone might ask you to write an article on a subject that is not classified and is obviously innocuous. This is the first link in the intelligence-gathering chain," said the lecturer. 




No comments: