Israel is under massive Chinese, Russian cyber espionage attack
A look at one of the most secretive units of the Israeli intelligence community— the Shin Bet’s counter-espionage division, which was responsible for the arrest of former minister Gonen Segev—one of many cases of Tehran's infiltration attempts. However, it turns out that the Iranians are actually the least of Israel's problems.
A few months ago, "Ophir," a senior official with a rich intelligence background turned private cyber security expert, was called back to duty.
The mission: Ophir and a team of experts were asked to examine the security of some of Israel's main computer systems. A few systems were defined as "strategic," others of lesser importance. But since less time and energy is spent on protecting these secondary systems, it can make them even more vulnerable to infiltration. The investigation team was put together by one of Israel's governmental intelligence and information protection agencies.
The idea was to have someone from the outside—a fresh pair of eyes—look at these systems and identify "holes" and problems that may have gone unnoticed by the regular cyber security team.
"The Shin Bet’s counter-espionage unit has never been busier," Ophir was told.
"We believe Israel is under a multi-frontal attack, a significant threat to our national security. Some of the spying is classic, like it used to be: living agents recruited for personal gain or ideology. We know how to deal with those. But some attacks are being carried out by other means, less visible and clear."
The immediate suspect in the attack, according to Ophir, was Iran. The international boycott against the Islamic Republic forced Iran to build its own communications and encryption systems. To that end, Iran set up an impressive network of cyber institutions and engineers, and greatly improved its capabilities of stealing technology, hacking into data bases and planting viruses.
For years now that Israel’s intelligence community has been seeing many attacks by Iranian intelligence on Israeli computers. The question is, of course, what it doesn't see, where the breaches in the walls are, and what roles do Hamas and Hezbollah play.
Ophir's team went to work and began to examine computer infrastructures and servers of some of the main administration bodies in Israel, a large proportion of which—as previously mentioned—are civilian.
When the results came, says a person familiar with the subject, Ophir was dumbfounded; he could not believe his eyes. "He said there must have been a mistake…that something was wrong with the data, so they went and checked again, and it turned out that everything was correct." Other experts who examined the report reached similar conclusions.
"I've been in cyber defense for many years and I’ve never seen such a thing," Ophir said during a meeting to present the report's conclusions. "Many computers are infected, including computers in schools, hospitals, the Ministry of Interior, national infrastructures, and more—all infected with malwares (malicious software), including sub-families of malwares—which are the most sophisticated in their operation and form of infection."
Researchers were surprised to discover that some of the malicious software was found deep inside central computer systems, not just on personal desktops used by the government as expected. The mainframe systems are much more difficult for hackers to penetrate.
"The person behind this activity turned it into a form of art," says the source. "This entity has no problem investing tremendous resources and manpower. It's not someone's hobby, and it's not two, three or four units that are responsible for these attacks. It is a country investing whatever it has in these attacks. "
Ophir's team estimated that the manpower required for these cyber attacks against Israel is in the hundreds of people. It's a lot even for a country.
"To write good malware code, you can use Darknet, where you can find 60-70 percent of what you need," Ophir explained in his report. "But the rest must be tailored to the computer you want to hack. Writing that 30 percent is a tremendous effort, not to mention the need to receive the vast amounts of information gathered in this effort ... Whoever did this wanted to know everything about us, to strip us bare."
At the end of the discussion, another bomb was dropped: according to Ophir's team, all these malicious programs were not from Iran, or Hezbollah, or Hamas.
Whoever is responsible for what is defined as "the disease that spreads everywhere—to all organs of the Israeli cyberspace" is a completely different, much more powerful player and, according to an Israeli intelligence source, far more dangerous than anything we’ve ever known.
Two months ago, when the arrest of former minister Gonen Segev on suspicion of spying for Iran came to light—an espionage case that preoccupied Israeli intelligence for years and that only few were privy to—it was revealed that one of the most secretive units of the Israeli intelligence community, the Shin Bet’s department for counter-espionage, worked the case.
Shooting in all directions
Segev, who was accused of espionage and assisting the enemy in its war against Israel, is only the tip of the iceberg in the Iranian efforts to establish secret intelligence infrastructure in Israel.
Tehran sees Israel's intelligence successes against it and other members of the "radical front" (which includes Syria, Hezbollah, Hamas and Islamic Jihad) and tries to produce its own intelligence collection effort against Israeli targets. In the meantime, in this secret war between Tehran and Jerusalem, the Iranians have mainly managed to recruit people whose access to secrets is limited, including—if indeed the allegations against him are true—Gonen Segev.
Segev was an Israeli minister in the early 1990s, and was later convicted of attempting to smuggle 32,000 ecstasy pills into Israel, and was sent to five years in prison. After his release, 3.5 years later, he left Israel and moved to Nigeria.
However, the golden rule of intelligence work is "you only know what you know." Therefore, the working assumption of the counter-espionage unit is that the Iranians may have succeeded in recruiting and operating assets with high access to sensitive Israeli secrets.
The Iranians operate two major intelligence organizations against Israel: the first is the Quds Force, the special unit of the Revolutionary Guards commanded by Qasem Soleimani, which aims to "export" the Islamic revolution to other countries and harm those who try to thwart the Islamic revolution.
The second organization is the Ministry of Intelligence of the Islamic Republic of Iran (MOIS), which bears a resemblance, to a certain degree, to the Mossad. Similar to the Mossad, the MOIS has branches all over the world, and it is this organization that recruited some of the agents operating in Israel.
"The Iranians are shooting in all directions," says an intelligence source who is familiar with the details of the Segev affair as well as other published and unpublished Iranian attempts to recruit Israeli assets.
In other words, according to the source, the Iranians are recruiting as many assets as they can, high quality targets like Segev, and minor targets, like Palestinian agents who have little to contribute to the Iranian organization.
About a decade ago, an unusual incident took place known in the intelligence community as a "walk-in"—a person who willingly walks into a foreign country's embassy or intelligence agency, without prior contact or recruitment, and offers his services as a spy—when a man, whose identity is still confidential, walked into the Iranian intelligence office in Istanbul and divulged information about those he claimed were officials in the Israeli defense establishment.
However, it seems that the heads of the Iranian intelligence branch in Istanbul thought correctly that they had nothing to lose and listened to what this man had to say. In the end, the damage the walk-in caused Israel was minimal.
In 2013, the Shin Bet issued a severe warning to Jews visiting relatives in Iran, against the Iranian Intelligence Ministry’s activities at the Islamic Republic’s consulate in Istanbul. The Israeli agency found out that the Iranians used the Persian Jews' dependence on visas to Iran in order to recruit them as agents.
The damage in this case was also minimal, and the few cases that the Shin Bet exposed did not justify an indictment, so the suspects walked away with just a warning.
Although the information gathered by Iran in these cases was scant, these attempts and others demonstrate the Iranian efforts to infiltrate Israeli intelligence. Most of the effort is focused on gathering ''positive intelligence"—i.e., obtaining information about potential targets, order of battle, location of important individuals, etc. This was the case with Ali Mansouri.
According to the Shin Bet investigation, Mansouri lived in Iran until 1980. He later moved to Turkey and tried his luck as a businessman until 1997, when he was granted a Belgian visa. In 2007, he returned to Iran and resumed his business endeavors. Five years later, he was recruited by the Quds Force as an operative agent against Israel.
Mansouri changed his name to Alex Manes and in 2013 set out with his Belgian passport to Israel on a mission to gather information on embassies and top secret Israeli facilities. He was tasked with establishing a business infrastructure that would serve as a front for Iranian intelligence activities. Therefore, part of his mission was to establish business connections in Israel and take on long-term projects that would warrant a long-term say in Israel.
Mansouri received generous funding, used his windows and roofing business as a front, and tried to establish contacts with Tel Aviv business owners. To help establish his cover story, he even posted a Facebook profile picture of himself with Tel Aviv as a backdrop. When the Shin Bet arrested him in 2013, they found photos of various sensitive sites in Israel, including the American Embassy building.
In January 2018, the Shin Bet uncovered a cell operated by the Quds Force out of South Africa under the command of Muhammad Maharmeh, a computer engineering student from Hebron. Maharmeh, according to a Shin Bet investigation, was recruited by a relative living in South Africa. Among his missions were the recruitment of an Israeli-Arab citizen responsible for photographing Israeli territory and the collection of Israeli money and SIM cards—to be used in future Iranian intelligence operations.
Africa, an area where Iranians feel comfortable to operate in, is also featured in Segev's story. This time it's Nigeria. According to one version, it was the Iranian Intelligence Ministry that approached Segev and asked for a meeting under the guise of an official meeting concerning agriculture and water. According to another version, Segev was the one who initiated contact.
A Shin Bet investigation revealed that Segev visited Iran twice, making it difficult for him to argue that these were mere business trips. His defense team is arguing that Segev updated the Israeli intelligence community and even offered his services as a double agent, but Shin Bet officials flatly reject these claims.
What really happened? The court will decide, but what is certain is that Segev did not inflict serious damage upon Israeli intelligence, for he hasn't been in touch with the circle of decision-makers in two decades.
All of this, of course, does not diminish the severity of his alleged acts—if he is found to have indeed committed them. But these and other cases do point to two important facts: one, the Iranians are indeed trying to infiltrate Israeli intelligence. And two, according only to the cases that have seen the light of day, Iran's success in these endeavors has not been great.
The bigger threat: Russia and China
"Today, the Shin Bet is facing more significant challenges," says a former division commander. These challenges are called China and Russia. In recent years, these world powers countries have been trying to attack Israel in a variety of ways, in a manner similar to those carried out against other Western countries.
The Russian hacking into the servers of the US Democratic Party and the publication of US data stolen by WikiLeaks are regarded as some of the events that paved the way for Donald Trump's victory, and it is now at the center of an FBI investigation led by special investigator Robert Mueller, which is dealing with alleged ties between the Trump campaign and Russian intelligence in the time leading up to the 2016 presidential elections.
The spyware used by the Russians in their international attacks was developed by two Russian hacker groups, dubbed "Fancy Bear" and "Cozy Bear," who are believed to be associated with two Russian intelligence organizations—Russian Military Intelligence (GRU) and the Russian Federal Security Service (FSB).
"The bottom line of Russian espionage is quite clear," says Holger Stark, deputy editor of Die Zeit and one of the most well-known journalists in Germany (who also teamed up with Yedioth Ahronoth on several investigative stories).
"The Russians take everything they can and circulate spyware in very large attacks, across the entire global web, in order to infiltrate as many places as they possibly can," says Stark. "The principle: more attempts—more success. Only in few cases they look for a specific target and execute a tailor-made attack."
Stark said this after one of the Russian "bears" was discovered on the servers of the German parliament, and massive amounts of information was stolen. The information is yet to be published, apparently for two reasons: First, German diplomats and politicians were simply too boring for the Russians, since they couldn't find anything juicy enough to publish.
Second, the German government unequivocally warned Russian President Putin that it would not tolerate the publication of these materials. These "bears," which have also been discovered in Israel, are just an example of the transformation counter-espionage warfare has undergone.
Accordingly, about two years ago, Israel's counter-espionage unit has undergone a major change: "The pursuit of the classic spy wearing a black raincoat is no longer relevant," says a former unit chief. "The environment has changed, the methods have changed, the enemies are no longer the classic enemies, or at least not only them. The unit had to go through a significant change."
The adversary targets map has also grown considerably: Spies not only seek to gather information about the IDF's secret weapons and order of battle, but they also, for example, try to influence democratic government processes.
Many countries around the world invest enormous resources in these fields, "and the reason behind that is clear," the former unit chief adds. "The US and the Soviet Union invested a crazy amount of resources in preparations for war and in building armies and huge missiles fleets. Today, with a much smaller investment, you can get a material that is a lot more significant."
"So it's true that when you hear about thousands of people being recruited for the different cyber divisions of Russian intelligence, it sounds like a lot to us, but you have to remember that when you compare this to investing in real armies, it's nothing," he concluded.
"In today's world, the thought that Gonen Segev was recruited sounds lame, like Gonen Segev himself," says Dr. Nimrod Kozlovski, a lecturer and coordinator of cyber studies at the School of Business Administration at Tel Aviv University.
"What real value is there to someone like Segev? Today, the alternative to classic intelligence gathering, mainly in China and Russia, is a listening device made by Chinese companies (called 'backdoor' or 'Logicbomb' in intelligence jargon) that can be planted inside communications equipment, and since it is a part of the equipment itself, it is very hard to locate. In this way, you can reach the phones of senior officials and plant the device on the switchboards themselves," adds Dr.Kozlovski.
Such espionage is a threat to Israel. A former security officer at a private Israeli company explains: "Because Israel outsources a large part of the Israel defense establishment's activities to private companies that develop classified systems, sometimes it is not necessary to reach the tip of the missile or the system that operates it."
"You can target the logistics or marketing personnel in the company that manufactures the system, or the academics and hi-tech employees who are not on the front line and do not see themselves as targets for attack," the officer said.
In the past couple of years, at the direction of the Shin Bet, security companies have started implementing various measures against Russian and Chinese espionage in Israel. The Shin Bet prevented a large Chinese telephone company from participating in a tender to supply infrastructure to communications systems in Israel.
Some Israeli security companies have banned their employees from using Chinese phones after it was revealed that the Indian prime minister's servers, provided by a Chinese company, were infected with sophisticated viruses.
The agency behind the planting of these viruses was interested not only in security matters, but also—and perhaps mainly—diplomatic, economic and political secrets.
These days, governments abroad are investing a great deal of effort to prevent such foreign infiltrations into political processes.
In their meetings with Israeli colleagues, foreign intelligence personnel talked at length about their concerns regarding Russians and Chinese use of intelligence gathering in order to influence the democratic process in their countries. British sources claimed, for instance, that these attempts had a significant impact on the results of the Brexit referendum.
The Shin Bet refused to cooperate with this article, and so they did not provide an answer to the question of whether attempts to influence politics and politicians in Israel were discovered; but what is true abroad may also be true in Israel.
The first link
To manage these new challenges, the Shin Bet's counter-espionage unit started recruiting manpower from various fields that were not considered necessary in the past: economists, computer engineers, hi-tech employees, and, in short, all those who know how to deal with the new threat.
But even today, Russia and China are still trying to collect information through more classic channels. In recent years, for example, there have been quite a few attempts to penetrate Israel through Israeli industries and academia. Through academic staff members, intelligence agents can get a direct channel to decision-makers—politicians, or senior officials who whisper into politicians' ears.
In recent months, the Shin Bet's counter-espionage personnel have held lectures to increase awareness and explain the current threat in factories, companies and academia.
The Shin Bet personnel presented examples of seemingly innocent inquiries made by one research institute or another. "You may be asked to travel to foreign countries for some conference, and then even get a scholarship... Someone might ask you to write an article on a subject that is not classified and is obviously innocuous. This is the first link in the intelligence-gathering chain," said the lecturer.
The lecturer also described various ways to make contact, all very soft and friendly, including lunch with a Chinese diplomat, invitation to a lecture at the Chinese Cultural Institute, and more. An Israeli academic institution recently refused to open such a cultural center on its property.
A defense company employee who was present at a cultural-academic event said that a Russian source tried to contact him, and he did not understand why, until he was asked about his father, a former very senior IDF officer. Another academic who attended the lecture told the Shin Bet personnel: "Now, after you said all this, I realize that they tried to contact me."
Once the Shin Bet discovers that someone is indeed the target of Russian or Chinese intelligence services, they prefer to put an end to it in the quietest way possible. They turn to the target, warn him that the person who approached him is not innocent, and ask him to cut ties with him. In most cases, the request is immediately fulfilled.
The problem, it seems, lies in public awareness. Recently, security officials conducted an investigation at a classified facility to examine the suspicion of information being leaked through social media. The security officials logged into the network with a fake profile, and within a short period of time managed to obtain the classified information in question by getting other users to talk. This was an embarrassing incident.
Roie Yellinek, a doctoral researcher at Bar-Ilan University and a member of the Begin-Sadat Center for Strategic Studies, tried to raise awareness for this threat by setting up a special forum about China. "I turned to one of the academic institutions that specialize in the cyber world. During the meeting, to which I was invited with great enthusiasm, a distinguished professor entered, and when he heard what we were talking about, he said, 'Talking about Russian espionage or cyber threats is a red flag, talking about Chinese espionage or cyber threats is a dark red flag,' and immediately left the room."
Another method, which the Chinese have made into an art, is business contacts. "Every meeting with the Chinese usually has between four to six representatives," says the CEO of an Israeli security company who attended several such meetings.
"Only one of them speaks, and he apparently does not speak English—there’s an interpreter—but it is clear that everyone understands English very well. Sometimes they even write what was said on paper or on computers before it is translated," the CEO added.
In this way, the Chinese can move quickly, control the situation, digest the data, and keep the entire conversation focused on a direction of their choice, undisturbed.
The conversation in many cases begins with words of flattery for the State of Israel and for the Jewish people. The same CEO—who attested to holding more than 10 negotiations with various Chinese officials over the last three years, some private, some governmental (including Chinese intelligence organizations)—says: "It's as if everyone is reading the same book, instructions for an intelligence agent on how to make contact with Israelis and flatter them. They say: 'We are a 5,000-year-old culture, you are the Jewish people, a culture of 3,500 years, and the Americans are only 200 years old and busy at McDonald's. We admire you for the way you managed to preserve your culture despite 2,000 years of exile, and there are many similarities between our culture and yours.'"
Then, the Chinese begin to show interest in the Israeli company and its products. "They are alert, knowledgeable, and want to know everything. They write down everything we say, and they are interested in everything we have to tell them," the CEO explains.
Dr. Avner Barnea, a former senior officer in the counter-espionage unit of the Shin Bet and now one of Israel's leading intelligence experts, says: "We don't see the Russians much, but at the intelligence conferences I attend, there is a large presence of Chinese. Some are private companies' representatives; some are obviously government representatives, they all speak excellent English.
"Competitive intelligence is of great interest to them. When you try explaining to them that 80 percent of the world's 500 largest companies deal with competitive intelligence—most companies are careful to do so only in accordance with the law, without the use of cyber measures, without recruiting agents, without committing espionage in the criminal sense—their reaction is always the same: they listen but some remain unconvinced."
According to Dr. Barnea, "the Chinese give you the feeling that they need deep espionage, and that overt sources are not enough for them. You understand very well what is going on, which they do not discuss."
During the negotiation process, the Chinese learn a great deal about the company's products, its personnel, and its sales system. There are some cases in which the parties start formulating a contract—the price of which is usually much higher than any offer the Israeli company has received in the past from non-Chinese parties—and then, just before signing the contract, the Chinese announce that the deal is off.
"Sometimes they just disappear," says the marketing manager of an Israeli cyber company that was approached by the Chinese.
Once, a Chinese company paid an advance fee of millions of dollars they could not get back, because suspicious Israelis who heard stories about the Chinese demanded they show their serious intentions. So the Chinese showed the Israelis they are serious, they paid, but when negotiations advanced, the Chinese decided to walk away from the deal.
Many Israeli companies experienced this before. "In the end, it turns out that behind all these deals, the Chinese have no desire to actually buy. Instead, they wish to study you and spy on you," says the CEO of a cyber company.
"During negotiations, the Chinese derive information about the business model, the type of technology used, the clients, the company's trade secrets, and then they evaporate," the CEO explained.
Other Israeli companies encountered even less subtle Chinese espionage attempts.
One day, a Chinese delegation arrived in Herzliya to discuss the purchase of a large Israeli security technology company. They offered an astronomical sum, something like four times the best bid submitted by a Western company. "Then, in the middle of the meeting," recalls one of the company's managers, "one of the Chinese businessmen got out of the room without even asking where the bathroom was.
"It took me a minute or two to realize that and to remember that he had left carrying his bag. I went after him and saw him wandering around the company's offices with the bag, which I have no doubt carried a camera or some kind of transmission equipment for cyber attacks," said the manager.
Another company's CEO recounted his visit to Beijing, where he met—with the permission of the Ministry of Defense and the Mossad—with a Chinese intelligence agency: "We arrived there and took all necessary measures to protect our information. I put my phone in the interim parking lot in Germany and got another phone, clean this time. The laptop I brought with me was also new and contained only a few presentations. When we got back, we took all our 'clean' devices and discovered that each and every one of them was infected, from head to toe, with innumerable spyware that were transplanted into the devices through the WiFi networks in our hotels. We had to throw all of these devices into the trash because we weren't sure we could wipe out all the viruses."
Why are Israelis so afraid to talk about this? Dr. Kozlovsky explains: "Because there are Israeli companies that are doing exactly the same things. That is, the development of hacking and cyber espionage tools, so what grievance can we have against the Chinese?"
"Not only that, no one has a problem trash-talking Iran or Hezbollah, but no one—not the Israeli government, not academics, and certainly not private business entities—wants to poke the Russian Bear or the Chinese giant that has long awakened," Dr. Kozlovsky concluded.
