Ransomware hits national electricity authority, Israel reports

Incident occurs during record-breaking demand for electricity due to winter cold.

Monday was an unusual day for Israel’s electricity authority. A winter storm had hit the country, people were setting records with the amount of electricity they were using, and the national electricity company had declared a state of emergency.

But the next wave of trouble came, not from the weather, but from hackers, according to Israel’s energy minister. News reports have called it ransomware.

“Yesterday, we identified one of the largest cyber attacks that we have experienced,” Minister of Infrastructure, Energy and Water Yuval Steinitz said on Tuesday, as reported in the Jerusalem Post.

He spoke at the CyberTech 2016 conference in Tel Aviv, giving limited details about the incident.

“The virus was already identified and the right software was already prepared to neutralize it,” Steinitz said, as reported by the Times of Israel. “We had to paralyze many of the computers of the Israeli Electricity Authority. We are handling the situation and I hope that soon, this very serious event will be over … but as of now, computer systems are still not working as they should.”

The news reports about the incident did not mention any power outages related to the cyber intrusion.

Ransomware

Ransomware typically holds a system hostage until money, often in the form of bitcoin, is paid.

“The computer system of the Electricity Authority was the victim of an extortion attempt through virus,” reported Ynet, according to a Google translation. “The virus senders locked computers of the Authority, which is responsible for the electricity sector, and hid them so that PCs are completely cut off from the power supply and power notebook computers.”

Attack?

Some cybersecurity experts say this does not appear to be an attack on the power grid, as some reports claimed.

“However, new reporting shows that the ‘cyber attack’ was simply ransomware delivered via phishing emails to the regulatory body’s office network and it appears in no way endangered any infrastructure,” wrote Robert M. Lee with the SANS Institute.

The agency’s office network does not run the power grid, according to Michael Toecker with Context Industrial Security.

“The Electricity Authority of Israel is basically the electricity regulator in Israel,” said Toecker. “It has the power to set rates, license companies to operate electrical infrastructure, support advances in energy policy, and set standards for electric system quality.” 

“They don’t operate infrastructure, they set standards to ensure owners of infrastructure operate it reliably and set the payment for providing electric services,” he said.

Crying “attack”

Cybersecurity experts say it would be wise to think carefully before calling a cyber incident an “attack.”

“When something bad happens, the ‘victim’ tends to characterize the situation as an ‘attack,’ whether or not there was any real intent to do damage,” said Patrick C. Miller of Archer Security Group.

“In this case, a rash of ransomware can really ruin your day, but it might not qualify as an attack,” he said.

It is too early to tell if the agency was specifically targeted, Miller said.

“Without analysis of a reasonable set of evidence by qualified professionals, we may never really know,” he said. “In any case, we should exercise caution and not shout ‘cyber attack!’ until we really know—especially when it comes to critical infrastructure.”

Targets

Although this case does not appear to have any connection to the power grid, some cybersecurity experts say grids are indeed targets.

“Attacks on industrial networks and critical infrastructure is something that is becoming part of the common threat landscape,” Nir Giller of CyberX told Archer News.

Giller is a veteran of the elite cyber security unit at the Israeli Defense Forces, according to the CyberX website, and the company’s CEO is a panelist at the CyberTech 2016 conference in Tel Aviv where Israel’s energy minister announced the cyber incident.

“Other utilities worldwide are suffering from successful cyber attacks, though not many actually disclose this information, due to fear of damage to reputation and the sensitivity of events,” Giller said.

Previous cyber incidents

Reports say there have been a number of cyber ‘attack’ attempts on Israeli government agencies and other organizations in the past few years.

The country’s defense ministry said in August that someone sent its employees e-mail messages with malicious files, reported the Times of Israel, which said the malware was “mostly blocked.”

The hacktivist group Anonymous announced it was going to create an “electronic holocaust” in April, and target Israeli government websites, military sites and others, according to the Daily Mail.

Israel claimed Iran attempted to conduct a large-scale cyber attack on Israeli civilian communications during the war with Hamas in 2014, according to the Jerusalem Post. The “unprecedented attack” included a “brief hijacking” of the Israel Defense Forces’ Twitter account, said the Times of Israel.

Also in 2014, hackers from China reportedly stole information about Israel’s Iron Dome air defense system and Arrow anti-ballistic missiles. 

Hackers attacked security cameras in Haifa—Israel’s third largest city—in 2013, leading to a shutdown of a major roadway and causing hundreds of thousands of dollars in damages, reported Israel Today.

And the head of Israel’s website division said hackers attacked sites “tens of millions of times” during Israel’s 2012 military offensive on the Gaza Strip, said USA Today.

Warning of attacks

The Israeli government established a National Cyber Authority in February, saying that cyber threats can paralyze nations.

Then, in July, the cyber authority warned Israel would suffer a “massive cyber attack,” said the Times of Israel.

The warning told government ministries and security agencies to monitor their computer systems and mobile phones and prepare for “any possible scenario,” according to Haaretz.

But cybersecurity experts say this latest development falls far short of the cyber attack that caused a power outage in Ukraine in December, shutting down substations and leaving people in the dark.