Note 26

WannaCry May 2017 Cyber Attack: How Israel Survived

The World’s Biggest ever Cyber Attack
On Friday 12th of May 2017 unknown hackers set about executing the world’s largest ever cyber-attack. The attack, known as “WannaCry,”used ‘ransomware’ to paralyze more than 200,000 computers in 150 countries, including those that run Britain’s hospital network, Germany’s national railway and other companies and government agencies worldwide, in was the biggest online extortion scheme ever.

In China, more than 29,000 institutions were hit across the country. Universities and educational institutions were among the hardest hit, numbering 4,341, or about 15 percent of internet protocol addresses attacked. Also affected were railway stations, mail delivery, gas stations, hospitals, office buildings, shopping malls and government services. Among the victims of the attack was PetroChina, whose system was hit by the virus which disabled the ability for customers to pay with cards.

Although Israel was targeted by the attack, the damages it suffered were minimal. Through the implementation of best practices and quick joint action by cyber experts within Israel, there was no damage sustained to the nation’s critical infrastructure.

Cyber security is a sphere which is often spoken about in discussions relating to Sino-Israel relations. Many Chinese experts and scholars have shown and continue to express great interest in learning from Israel’s cyber-security capabilities. They flock to Israel on delegations in order to discuss and purchase Israel’s cutting edge technologies in the field. The May 12th attack is a real time example of Israel’s technological sophistication as a whole, and in particular in the field of cyber security and preparedness. It highlights the benefits China can gain from developing its technological cooperation with Israel. This point was further strengthened by the recent Comprehensive Innovation Partnership announced by President Xi Jinping during PM Netanyahu’s visit to Beijing in March (see SIGNAL Note 23)

The key to Israel’s success

“We are at the height of a world cyberattack, in which close to 100 nations have been hit. As of now, there has been no damage to Israel’s critical infrastructures,” Prime Minister Benjamin Netanyahu said at a weekly cabinet meeting in Jerusalem two days after the attack. “The other damage is minor, but everything can change.”

Israel set up its cyber-defense systems, including the National Cyber Authority, “in the understanding that there is a new danger that is still ahead of us,” he said. Netanyahu called on all Israeli citizens to obey the directives of the cyber authority. “There will be more developments and we will need to invest more resources” to ensure that Israel’s civilian and military institutions are protected against such attacks, he said.

The day after the attack, the nation’s top cybersecurity official said there was no evidence so far that Israel fell victim to the global cyber-attack. Baruch Carmeli, the head of the National Cyber Authority, said in a statement that there was “no indication” that Israeli bodies had been compromised in the massive electronic assault.

He added that the authority was in contact with cyber officials in Israel and around the world in order to minimize any potential damage.

Sharon Nimirovski – whose firm, WhiteHat, employs teams of hackers to scour the dark web in search of criminal activities aimed at its clients, which include hospitals, financial institutions in Israel and abroad and government institutions in Israel — said that on Friday afternoon its employees spotted an attack on 16 hospitals in the UK. “It was a widespread attack,” said Nimirovsky. The desk entered a high alert mode — which they call “DEFCON 2” — the second highest alert (the highest is when Israel is under attack.). They investigated the type of the attack, its spread, location and damage.

“We sent our customers the first vaccine against the attack within an hour,” he said. The “vaccine” included IP addresses, URLs and file names which its customers were told to block. Workers at firms in Israel went into work on Friday afternoon — when companies are generally closed for the weekend — or connected remotely to install the “vaccine,” Nimirovsky said.

As the attack spread even further globally, Israel’s National Cyber Bureau started communicating with the local cyber community and convened members of the Israeli cyber forum, which gathers 250 cybersecurity experts from the public and private cyber institutions. “It was a huge conversation which began Friday evening, with everyone pitching in and talking and giving advice and analyzing the event,” Nimirovsky said.

“We all joined forces and helped to block the attack,” Nimirovski said. “It was like a war, everyone put on their uniform and helped. The cyber bureau began coordinating everything.”

The National Cyber Bureau sent out documents to all major companies in Israel and to critical infrastructure utilities and posted instructions on its website on how to prevent the attack.

The scope of the cyberattack was unprecedented and future ones will only get bigger, said Erez Kreiner, a cybersecurity consultant and a former director of information security at the Shin Bet, Israel’s security agency. For 35 years he helped foil cyberattacks on Israel.

“The damage done by this attack is not worse than other attacks we have seen before, and is not more serious than others – the techniques and tools it uses are not different. What is different is its scope,” said Kreiner. “In future things will only get worse – the ability for such large-scale attacks exists. When they will happen again depends only on the intentions of the perpetrators.”

This attack apparently used a piece of malicious software called “WanaCrypt0r 2.0” or WannaCry, which exploits a weakness in Microsoft’s Windows. Microsoft released a patch — a software update that fixes the problem — for the vulnerability in March, but computers that have not installed the security update remain vulnerable.

What is interesting about the attack is that the criminals appeared to exploit a vulnerability purportedly identified for use by the US National Security Agency and later leaked to the Internet, said Ofer Israeli, the CEO of Illusive Networks, an Israeli cybersecurity startup.

“What we are seeing is the tip of the iceberg,” said Israeli. “The attacker was not very sophisticated and hence the first wave of the attack was stopped, even if apparently a second version has already been released. But cyber criminals can take the lethal capability that has been exposed and strategically and surgically now go after an organization in a targeted and much more damaging way.”

“I have no doubt that over the next few months, down the road, we are going to see a more sophisticated and more targeted and more devastating attack. As we speak this is already happening. We will see it only in later months,” he said.

The above is an extract from the Times of Israel article In Israel, cyber experts joined forces to help foil massive attack which can be found here

“While Israel officially stays silent on its cyber capabilities, there is no hiding the fact that it is today a global leader in cyber security, exporting more than $6 billion a year in cyber products, rivaling Israel’s annual defense exports. With a population of just 8 million people, Israel has captured 10% of the global cyber market – hundreds of high tech companies have been established by Aman (Israel’s Directorate of Military Intelligence) graduates alone – putting it on the same level as countries like the US, China and Russia.”1

National Cyber Strategy

In April 2016, Israel’s National Cyber Defense Authority (“the Authority”) officially began its service as a government entity in Israel. Its primary function is “to direct, operate, and execute as needed all defensive and operational efforts at the national level in cyberspace, based on a systemic approach, to allow a full and constant defensive response to cyberattacks, including the handling of cyberspace threats and cyber events in real time, formulation of a current situation assessment, gathering and research of intelligence, and work with the special institutions”.

The National Cyber Defense Authority is the latest government body to be added to Israel’s National Cyber Strategy framework, which aims to protect Israel’s critical infrastructure from the intrinsic dangers of a rapidly developing cyberspace. The strategy is also comprised of the National Information Security Authority, established in 2002, and the National Cyber Bureau, set up in 2012 to regulate activity in cyberspace.

A Sampling of Israel’s cyber-security technologies

ThetaRay

ThetaRay is an Israeli company which is already operating in China with the help of investment from e-commerce giant Alibaba.

“ThetaRay’s cyber solution for Industrial sectors protects against unknown zero-day malware, targeted APT attacks, and sophisticated Stuxnet-like state sponsored cyber-attacks that target critical infrastructure.

Monitoring critical infrastructure networks and devices, such as SCADA networks, aircraft engines, medical equipment and other critical assets, the solution enables real-time detection and actionable mitigation of unknown threats before any impact to production, safety or revenues can occur.”

Sasa Software

Sasa’s Gate Scanner CDR (content disarm and construction) successfully protected its customers against the WanaCry ransomware attack. Analysis has shown that the attack spread through two primary vectors: networked based SMB exploits, and via email. Customers using Gate Scanner CDR were protected from the file based attacks, since its technology disarms all incoming emails and files, without relying on detection, or user intervention. Sasa’s software protects over 150 enterprises, focusing on governmental agencies, financial institutions, healthcare and critical infrastructures.

Illusive networks

illusive networks is a cybersecurity company at the forefront of deception technology, the most effective protection against Advanced Attacks. illusive creates an alternate reality, transparently woven into the client’s existing network. Attackers led into this reality will be instantly identified beyond all doubt, triggering a high-fidelity alert the client can act upon. illusive was set up by former Aman personnel to challenge the most critical cyber threat facing organizations today – targeted attacks.

WhiteHat Security

WhiteHat Sentinel is a Software-as-a-Service (SaaS) platform that enables businesses to quickly deploy a scalable application security program across the entire software development lifecycle (SDLC). Combining advanced scanning technology with the world’s largest application security research team, it accurately identifies the client’s vulnerabilities and scale to meet any demand without slowing them down.

WhiteHat Security provides the industry’s broadest range of application security solutions that serve the needs of developers, security professionals and executives in a number of key industries. It provides complete solutions for web application security, secure code development, risk assessment and in many other areas.

Win-win cooperation

This month’s massive ransomware attack is an example of the value and real-time relevance of China-Israel cooperation in addressing tangible threats and dangers. Based on the Comprehensive Innovation Partnership and other successful agreements signed during PM Netanyahu’s visit to Beijing, greater collaboration can help ensure both sides are maximizing the potential of this fruitful relationship.

For China, Israel provides insight into some of the world’s foremost leading cyber-security technologies. For Israel, China provides the potential of a seemingly endless marketplace and wealth of cyber companies.

Even more significantly​, sharing cyber-security technologies, best practices and expertise is a must on a global level in order for governments and private actors to stay ahead of those looking to exploit their vulnerabilities.

As the experts Kreiner and Israeli stated, with each successful attack that takes place, hackers are learning about the vulnerabilities which exist in certain systems and networks. They are able to learn and adapt in order to plan and execute more devastating attacks. Just like the hackers, governments and companies must too learn from these events and ensure they stay one step ahead of their attackers in protecting their critical infrastructures.

The best way to do this is to learn from one another, to share best practices and to get the best minds and best technologies together, on board the same mission.

  1. 1 Katz, Y., & Bohbot, A. (2017).The weapon wizards: how Israel became a high-tech military superpower. New York: St. Martins Press.
Published: 01-06-2017