Israeli 'electronic activists' pledge revenge on Iranian hackers after cyber attacks on armed drones manufacturer
Pay2Key, an alleged Iranian hacking operation, allegedly saw an Israeli network security company called Portnox being hacked.
Two Israeli cybersecurity firms said the operation showed signs of Tehran's fingerprints, after ransom payments were traced back to an Iranian digital currency exchange.
Portnox was formerly known as Access Layers and is now headquartered in the UK.
The hackers said they have accessed data from many of Portnox’s clients, ranging from large banks to HMOs, and even sensitive bodies like Israeli Prime Minister Benjamin Netanyahu's office and a defence contractor.
They uploaded 3 gigabits of data to the web which included documents relating to Israeli defence contractor Elbit, best known for the manufacturing of drones, described as the "backbone" of Israel's fleet.
In response, an Israeli hacking group has emerged that has targeted their Iranian counterparts, according to Haaretz.
The group of local "cyber activists", who refer to themselves as 972Ops, in reference to Israel's dialing code, told Haaretz in an interview that it consists of seven volunteers (six men and one woman) aged between 25 and 45.
All have professional experience in cybersecurity.
Despite "no smoking gun", the self-styled cyber activists are confident they have "revealed that the Iranian hackers are affiliated with Iran's [military] cyber branch".
They explained that it operates groups according to different levels and skill sets.
"There's simply no learning curve," a representative from Checkpoint told Haaretz, which has been operating since November.
"Every type of attack has a certain form that it follows. Every state operation has a certain tradecraft that serves as a signature or fingerprint. The methods they are using are almost identical to those used by official Iranian state hackers in recent years," one of the members of 972Ops says.
"This fact, in combination with their reluctance to sell data or exchange it - a common practice among cyber criminals - is as rare as seeing a camel in Finland," he continued.
"However, the most suspicious thing is that they actually have fake Twitter accounts in Hebrew, praising them in almost perfect Hebrew. This is just not something cyber criminals would do. This is an espionage operation masquerading as cybercrime with the help of some smart propaganda."
The representative said that 972Ops is currently working on a full-on counteroffensive.
"If exposing them publicly will not stop them, we will shift to revenge attacks," it said.
Israelis fear that due to the PR success of the attacks, "Iran is very likely to double down on such cyber-propaganda operation - and we are very likely to see more such groups and copycats".
For its part, 972Op claims to have broken into at least five email accounts affiliated to the Pay2Key operation.
"The understanding that this [attack] is being done with the support or affiliation of the [Iranian] state stems from what we read in their [email] conversations. They are very focused on their mission - they refuse to 'sell' the materials they stole to a third party or even trade or reveal other information" - as is common in ransom attacks, one member of the Israeli group claimed.
The 972Ops said they managed to weed out two Iranians who tried to join their ranks as double agents.