An official revealed that Israel’s Electricity Authority was targeted in a cyberattack, but experts said it was just a ransomware infection that has not impacted the country’s power grid.
Israel’s Minister of National Infrastructure, Energy, and Water Yuval Steinitz told attendees of the Cybertech 2016 conference in Tel Aviv earlier this week that the country’s Electricity Authority had been hit by a “severe cyberattack.”
According to The Times of Israel, Steinitz said the Electricity Authority identified a “virus” and was working on neutralizing it, and that many of the organization’s computers had been “paralyzed.”
“This is a fresh example of the sensitivity of infrastructure to cyberattacks, and the importance of preparing ourselves in order to defend ourselves against such attacks,” Steinitz said.
Some Israeli publications even quoted Steinitz saying that this was one of the largest cyberattacks his ministry has dealt with and that portions of the power grid were shut down while authorities responded to the incident. Major news sites later updated their initial articles and removed sections about parts of the power grid being shut down during incident response.
The Electricity Authority incident in Israel comes just months after the country’s National Cyber Authority warned of the threat of a massive cyberattack.
While Steinitz’s statement led many to believe that this might have been a sophisticated cyberattack specifically aimed at the Electricity Authority, later reports indicated that the virus was actually a piece of ransomware delivered via phishing emails to the organization’s network.
An Israel-based expert told SecurityWeek that the incident appears to involve CryptoLocker ransomware infections on some of the organization’s workstations. The Electricity Authority is tasked with setting tariffs, regulation and oversight, and its networks are not connected to the Electric Corporation or electricity manufacturers.
“The Israel Electric Authority the Minister mentioned is in no way related to the networks of the Israeli electric companies, transmission, or distribution sites. The Israeli Electric Authority is a regulatory body of roughly 30 individuals and this ‘cyber attack’ is only referencing their networks,” Robert Lee, CEO and founder of Dragos Security, explained in a blog post.
Based on newer reports surrounding the incident, Lee believes that only the regulatory body’s office network has been impacted, and the incident has in no way endangered critical infrastructure.
It’s not uncommon for officials to exaggerate the impact of a cyber threat and their statements are sometimes based on or supported by questionable reports released by security firms. For example, in April 2015, experts accused threat intelligence company Norse and the American Enterprise Institute (AEI) of fearmongering after they published a report on Iran’s cyber capabilities.
“AEI's political agenda for this report was clearly the current multilateral agreement with Iran to curb its nuclear weapons program,” Jeffrey Carr, CEO of Taia Global, said at the time. “The report's conclusion reiterates that sanctions against Iran must not be lifted as part of the nuclear framework agreement because of Iran's role as a cyber threat actor. Bottom line - this report is all about politics, not cyber security.”
The Norse/AEI report was published after U.S. intelligence officials blamed Iran for DDoS attacks on United States banks, a malware attack on Saudi Arabian oil and gas company Saudi Aramco, and the hacker attacks on Las Vegas-based Sands Casino.
Cyberattacks Causing Power Grid Disruptions Are a Reality
While the incident in Israel might have not affected the country’s power grid, the recent attacks aimed at Ukraine’s energy sector have demonstrated that the threat posed by malicious cyber actors should be taken seriously.
Ukraine accused Russia in December of launching a cyberattack that resulted in power outages in some regions. Experts who analyzed the incident determined that while several pieces of malware were used by the attackers, they had not directly caused the outages and instead helped the adversary cover its tracks and make it more difficult to restore service.
Researchers said the actual power outages were likely a result of direct interaction by the attackers — they remotely gained access using a piece of malware and used that access to interact with the system (e.g. open breakers) and cause the disruption.
The Ukraine attacks involved Russia-linked BlackEnergy malware, a destructive plugin named “KillDisk,” and an SSH backdoor dubbed “Dropbear SSH.”