article

01.17.12

Who Is Behind Cyberattacks on Israel’s Airline and Banks?

A mysterious group calling itself Nightmare caused Israeli websites to shut down Monday. Eli Lake examines a new type of Mideast conflict.

The Arab-Israeli conflict is normally fought with Katyusha rockets and Merkava tanks, but the conflict’s latest weapon is a botnet.

On Monday of this week, a group of hackers known as Nightmare attacked the websites associated with Israel’s stock exchange, its two largest banks, and the national airline, El Al. In messages to the Israeli media, the hackers demanded that Israeli leaders apologize for the occupation of Palestinian lands.

The attack prompted Israel’s deputy foreign minister, Danny Ayalon, to respond on his Facebook page Monday. “This morning, various Israeli websites were attacked by hackers,” he wrote. “They have demanded an apology for Israel's defensive measures. I am using this platform to send a clear message that we will never apologize for defending our country and our citizens. They will not silence us on the internet or in any forum.”

The tactic used against the Israeli websites is known as a DDOS attack. It jams a website with thousands of requests, effectively overloading the server so that it is inaccessible to the public. The DDOS offensive was launched less than a week after a hacker calling himself OxOmar published thousands of credit-card numbers he claimed to have pilfered from Israeli commercial sites.

OxOmar, who has claimed to be from Saudi Arabia in online messages, appeared to have advance knowledge of the latest cyberassault. But Ron Meyran, the director of security for Radware, an Israeli Web firm, said this week’s DDOS attack originated from servers mainly in Europe, with a few also in the United States and Israel. (Meyran said his analysis of the IP addresses of the servers used in the DDOS attack suggested the bulk of the computers were in France, Belgium, and the Netherlands.)

Hackers often cloak their attacks by routing the IP address through foreign servers, and in some cases, machines that are part of a larger botnet can participate in such DDOS attacks without their owners' knowledge.

Still, Meyran said he did not identify a single server from Saudi Arabia involved in the latest attack. He said the group that has taken credit, Nightmare, is similar to the hackers' collective known as Anonymous and also to the group that claimed responsibility for a string of hacks last summer against the CIA, FBI, and other U.S. government sites known as Lulzsec.

The coordinated attack Monday was probably the first large-scale hacktivist action inspired by the Arab-Israeli conflict. “In the past, we have seen coordinated attacks on South Korea, Estonia, and other countries,” Meyran said. “We have never seen this in Israel.”

“In the past, we have seen coordinated attacks on South Korea, Estonia, and other countries. We have never seen this in Israel.”

The most devastating kinds of cyberassaults are usually those that give the attacker access to—or in some cases control of—the target network. An example of this is the Stuxnet worm, which infiltrated the logic board controlling the speed of the centrifuges at the Natanz enrichment facility in Iran. Israel and the United States are widely believed by security experts to be responsible for that cyberattack, which took place in 2010.

Bob Gourley, a former chief technology officer for the Defense Intelligence Agency and the editor of CTOvision.com, told The Daily Beast that the DDOS attack against Israeli sites was not groundbreaking in a technical sense. “It’s important to keep things in context,” he said. “These guys are serious and very capable. [But] if you look at the long view, this is more evolution than revolution. These hackers have incrementally more powerful computers, but what are they doing? They are defacing Web pages; they are stealing credit cards. That’s been done before.”

Gourley said the attack might even provide an unexpected avenue for cooperation in the Middle East. “I think we will see Arabs and Israelis cooperating to try to stop this stuff. What other domain do you see open cooperation between these two sides?”