A supposed ransomware attack against the Israeli call center service company Voicenter earlier this week point to motives beyond money, experts said, including possible Iranian involvement.
In a widely distributed text message, the company said that on Saturday “a cyberattack on our systems was discovered which was executed by a group of foreign hackers, but to the best of our knowledge no data was leaked from the organization during the incident.”
Though the company’s announcement stated that none of the company’s information was breached, that turned out to be inaccurate. The hacker posted online that he is offering to sell some 15 terabytes of information from the company’s servers. The cloud-based call center service provider counts companies like MobileEye, eToro, Check Point and Similar Web among its clients.
The company halted service following the attack, and decided to disconnect its systems.
On the encrypted messaging app Telegram, the hacker posted samples of the information at their disposal, including recordings of calls with customers in various languages. It seems that the attacker had accessed deep into Voicenter’s servers; he had even acquired screenshots from WhatsApp Web and Gmail conversations that appear to have taken place between the company’s employees.
The hackers’ ransom demand from VoicenterScreenshot
On Tuesday, the attacker decided to advance to the next stage by uploading stolen ID cards and footage from the office’s video cameras – meaning they hacked and downloaded information from the camera system.
The hacker seemed to have assumed total control over the personal computer of one of the employees, turning on the webcam and photographing his room while he worked, uploading it in a post called “A picture seen from a home office.” After that, the hacker uploaded some of the company’s call center recordings.
Initially, this seemed to be a ransomware attack, as the hacker sought an increasing amount of money in exchange for the information: from 15 to 35 Bitcoin (about $636,150-$1.48 million.) However, there is increasing evidence suggesting that the attack is part of an Iranian campaign whose goal is to embarrass Israel through cyberattacks.
The first clue is the timing: Judging by the screenshots the hacker posted, he seems to have been accessing the system since June. Despite this, he decided to publish his information on the eve of the Jewish holiday of Sukkot.
The second is that the hacker’s first announcement named a number of companies that use Voicenter’s services, all of them Israeli. The company has thousands of customers, including foreign ones. The recordings are in Spanish, French and Russian as well, yet the hacker chose to emphasize the Israeli clients.
Thirdly, the modus operandi of the hacker group that carried out the attack, which calls itself Deus, is to raise its ransom demands every 12 hours. In the massive cyberattack attack on the Israeli insurance firm Shirbit, which has been attributed to Iran, a similar method was used.
The fourth clue is that the hackers are now asking for five Bitcoins, rather than the 35 that they originally requested, so the compromise may suggest that the motives are not purely financial. They also put up their notice that the data was for sale before the negotiation period with Voicenter ended.
Moty Cristal, a negotiator that has helped a number of companies through cyberattacks, wrote on his Twitter account that the hacker’s “modus operandi does not resemble that of an economic attack. He posted the leaks on Raid Forum, which is not really a trading zone, but more of an expressive bulletin board.”
Cristal said that the hacker’s Telegram channel is similar to the ones seen in other Israeli hacks, including the ones of Shirbit and Bar Ilan University, created for “shaming” the victim. This is less common in attacks with economic motives. If Iran did in fact carry out this attack, it means that they are reaping the benefits of the cyberwar they are waging against Israel.
Nitzan Gutman, Voicenter’s founder, said Monday that they “are now in our data center in Petah Tivka, taking apart every server and searching for signs of the attack. We’re in the recovery stage of the attack, and working on getting all the systems back up. More than 15 employees have been working on this for 36 straight hours.”
Nitzan Gutman, founder of Voicentermedia pr
Gutman stressed that due to the GDPR – the EU privacy and data protection regulations – the company does not keep credit card information or personal details in its systems, “but customers may have such information.” He added that some of the company’s clients choose to encrypt their recorded conversations.
Gutman added that Voicenter’s situation is different from that of Shirbit, the Israeli insurance firm hit with a massive cyberattack last year, due to his company’s focus on information security amid the prevalence of scams in the telecom industry. He also noted that the company is insured against cyberattacks and that they are receiving assistance from the Cyber Time company which was also involved in the Bar Ilan University cyberattack last month.
“This is a server that was not active and was not connected to our system that used to host the website in the past. After the beginning of the [cyberattack], we tried to see if there was a possibility of quickly getting the old version of our website up that was hosted there.” a spokesperson for Voicenter said, “It is important to note that before the event began, our website is on a secured server with the highest SSL certificate (A+). Although it does not mean anything, the site has been taken down.”