By Doron Tamir

The recent cyber-attack by the Black Shadow hacking group on Israeli websites – among them the LGBT dating application Atraf which was subject to  a ransom demand and then a leak of account usernames when that demand wasn’t met – could be part of a larger Iranian cyber attrition campaign.

 It is important to clarify what precisely was targeted in this attack, and why the lack of an official cyber law in Israel is generating  confusion over the division of labor regarding data protection in the vulnerable private sector.

In the cyber world, internet service providers (ISPs) like NetVision, whose servers are used by the company that created Atraf’s website, are similar to a hotel or pizza franchise: The ISP ‘rents’ out its servers, enabling others to host their websites on them to create a logistical communications infrastructure.

Next in the cyber chain are the companies that create websites and applications – in this case, a company called CyberServe.

CyberServe was, in fact, the target of Black Shadow’s attack. These types of companies build websites according to the tailored needs of clients and hosts them on its servers.

Clients who request such websites, – be they dating websites or motorcycle stores –  often don’t understand the cyber world and therefore turn to companies to outsource their online needs.

Black Shadow conducted a double infiltration in this incident: Firstly, of CyberServe’s servers, and secondly of Atraf’s apps and websites (as well as other Israeli websites).

CyberServe provided the ‘structure’ for Atraf, and it was CyberServe’s servers that were infiltrated, meaning that the internet service provider, NetVision, is not responsible for the situation.

This, then highlights, a real problem when it comes to cyber security in Israel at this time. Despite Israel being the ‘start-up nation,’ and a world leader in cyber technology, the country’s private sector lacks clear directives over how to set up fortified cyber defense.

Just as a dentist can’t legally obligate someone to brush their teeth or to be vaccinated, the same is true regarding private sector entities and cyber defense. When Israel set up its National Cyber Security Authority, it began supplying lots of advisory material to the private sector, but none of it was binding.

Similarly, the Justice Ministry’s Law, Information and Technology Authority, which even has the power to raid homes in connection with cyber-crime investigations, does not have enforcement capability when it comes to cyber defenses.

Ultimately, this means that chaos characterizes private sector cyber defenses in Israel and, and only a cyber law can address this problem adequately.

Currently, only a few states like Singapore and the United States have such cyber laws, which delegate explicit cyber defense responsibilities to various actors.

In Israel, cyber security is more in oral law format than written law. As a result, it is not totally clear who is responsible for enforcing cyber security standards. The Israeli National Cyber Security Authority can define strategy, policy, budgets, objectives, and desirable levels of protection. But it cannot deal with each individual company or business organization. This creates gaps that can be exploited by malicious actors.

The ability to break into tens of thousands of private accounts on a dating site is a terrible breach of privacy. It does not require hugely sophisticated capabilities, but rather, the ability to exploit standard weak locations.

Unlike the cyber-attack on Israel’s Hillel Yaffe hospital, which involved the encryption of the hospital’s website, and an attack on the option to cancel the encryption, this latest attack was much less sophisticated.

Attackers breached a company whose job is to defend its customers. Now, CyberServe is facing collective legal action, and its chances of winning in court are not high.

Still, CyberServe could argue, based on the absence of a cyber security law, that the company is not legally responsible for security.

As for the perpetrators, it is reasonable to assume that Black Shadow is an Iranian cyber group, which, like other such groups, operates under Iranian supervision.

It is safe to assess that the groups divide up attacking roles among themselves, with the overall goal being to harass the State of Israel as much as possible. This won’t lead to a collapse of the state, but it will disturb it.

Such incidents also harm Israel’s image as a cyber power.

Now, the most important mission is to track the incident back forensically and identify the attackers. This is a difficult process with its own operational doctrine. It is, simply put, a major headache, and one that not all companies have the ability to undertake.

The incident ultimately underscores the conclusion that the time has come to beef up Israel’s current, and partial, cyber defense regulations.  

Clear legislation will stipulate what web service providers must deliver for their clients, and will make it more difficult for groups like Black Shadow to exploit indifference to the issue of cyber defense.

Not every company needs nuclear power plant-level cyber defenses, but between that and having no defense in place there is a large spectrum of security solutions.

The question of how much each company is willing to pay for this capability boils down to a question of cost-benefit considerations.

As time goes by, increasing numbers of companies will realize, as banks already have, that a percentage of their income must go into cyber security, because the cost of failure is far higher.

The latest attack on an LGBT dating application is not the attack that can bring down a state. But it is another razor cut, in a wider Iranian strategy of ‘a thousand cuts,’ that is designed to harm Israel.

On the other hand, when compared to the cyber strike on gas stations around Iran, which some reports have attributed to Israel, it would seem that the two countries do not have equal cyber offensive capabilities, are not even in the same league.

Brigadier General Doron Tamir General Doron Tamir had a distinguished military career spanning over 2 decades in the Intelligence Corps and Special forces - as the Chief Intelligence Officer in the Israeli military, where he commanded numerous military units in all aspects of the intelligence field, from signal, visual, and human intelligence, through technology and cyber, to combat and special operations. Read full bio here.