Likely Israeli Cyber Attack Compromises 15-Million Iranian Bank Accounts

15-million Iranian bank accounts were hacked and their owners financial data published via Telegram

The NY Times published a story this week about a massive cyber attack against three major Iranian banks which targeted 15-million customers. The latter received warnings that their account information had been hacked, harvested and made available via a Telegram account. This, of course, aroused panic in account holders and the banks themselves.

At first glance, the attack appeared in the guise of a conventional ransomware operation in which victims are deprived access to their accounts until they paid a financial ransom. But there was no serious attempt by the perpetrators to collect funds from the victims. This confirms that there was no financial motive in the enterprise.

Iranian officials at first attempted to ignore the hack, or at least refuse to acknowledge it publicly. But within the past few days, they did confirm it was a major attack.

Its purpose was clearly to further damage the Iranian economy, already strangled by U.S. sanctions:

…Outside cyberexperts…said a breach of such magnitude was likely the work of a state entity aiming to stoke instability, not criminals whose objective is blackmail for financial gain.

So who was the culprit? There are only three credible suspects: Saudi Arabia, the U.S. and Israel. Let’s rule out the first from the get-go. Though the Saudis have been playing catch-up in the cyber-hacking arena in an attempt to match the successes of their Iranian rivals, it’s doubtful they have the wherewithal to conduct such a large-scale sophisticated operation.

It’s possible the Saudis could have contracted out the job to a sophisticated network of freelance hackers. There are certainly such groups in Russia, China and North Korea. But my strong suspicion is that this was not such an operation, but rather one performed by a nation-state.

NY Times article with Israeli journalist, Ronen Bergman’s byline

As for potential U.S. involvement, it’s certainly possible the NSA or the military Cyber Command perpetrated this attack. We have the motivation and skill-set.  We also could have collaborated with Israeli cyber-hackers as we did in Operation Olympic Games., which involving sabotaging the uranium enrichment centrifuges at Natanz.

There is one circumstantial, but highly persuasive reason the culprit is Israel. If you review the Times article, you’ll note that one of the two reporters credited with a byline is Ronen Bergman. He is one of Israel’s leading national security and intelligence journalists. He has excellent sources within Israeli intelligence circles.

There is only one reason he co-wrote this story: his Israeli sources offered him information about the attack they themselves performed.  Bergman was cagey in his story and did not say this explicitly. But given how much Israel has to gain by sowing mayhem inside Iran, it’s no surprise that the reporter chose to quote an Israeli cybersecurity expert practically crowing about the damage done to the country’s financial sector:

ClearSky, a cybersecurity company that was among the first to issue warnings of the breach, said it had damaged the flow of financial transactions inside Iran and had harmed the reputation of the affected banks, with customers panicking about their personal information having been made public.

Boaz Dolev, the chief executive officer of ClearSky, said the scope of the breach indicated that whoever was responsible possessed “high technological capability, which is usually at the hand of state intelligence services.”

No, I do not have further inside information on the attack to bolster my argument. Such sourcing would be helpful. But it’s not necessary. I’ve followed Bergman’s reporting for years and you can “take it to the bank” (pardon the phrase) that either Unit 8200 or allied Israeli unit was instrumental in the Iran attack.

For those who believe the U.S. was instrumental in the attack (rather than Israel), there is one tell-tale sign this is incorrect: the NY Times article offers “additional reporting” credit to DC-based reporter Mark Mazzetti.  He presumably tracked down leads and sources to determine the level of U.S. involvement.  Had there been any, Mazetti would have shared a byline with the others.  Instead, his contribution was highlighted at the very end of the story.

The banking hack represents a further escalation in the annals of national cyberwarfare. In the past, hackers have infiltrated banking systems in order to steal or extort money. And in the U.S., Iranian hackers were believed to have infiltrated U.S. bank computer systems.

But the damage done in this case was more pervasive and severe. Israel has the ability and motivation in spades to organize this attack. It has assassinated Iranian nuclear scientists, sabotaged uranium enrichment equipment, and bombed an IRG missile base. A financial sector attack of this sort is right up Israel’s alley.

Of course, Iran will now redouble efforts to exact revenge not just on the Israel financial sector, but on any entities doing business with it who have vulnerabilities.

Israel either believes that its own banks have robust enough defenses to repel such an attack; or they simply haven’t calculated the repercussions from this attack. But in this era of cyber-war, no bad deed goes unpunished. Iran will figure out a way to repay the favor. And then Israel will be the victim. These attacks could rapidly escalate and the social and economic costs could spiral out of control.

Such cyber-war operations are a Pandora’s Box. At first, they appear attractive means to damage an enemy without putting troops on the battlefield and paying in blood. But cyberattacks can and will lead, at some point, to very real wars. Only then will the world understand that they are not a play toy and not a substitute for physical force or military attack. I only hope we don’t learn this lesson too late.