Israel-based threat actors show growing sophistication of email attacks

A threat group based in Israel is behind attacks in recent weeks, according to a report from email security firm Abnormal Security. The concern’s new threat report tracked some 350 business email compromise exploits dating back to February 2021 perpetrated by the group.

While this is not the first time there has been an attack out of Israel, it is highly unusual. According to Abnormal, 74% of all attacks the firm analyzed over the past year were from Nigeria.

Mike Britton, the chief information security officer at Abnormal, said that while it is not unexpected that sophisticated threat actors would emerge from a skilled, innovative technology ecosystem, Asia, Israel — in fact the Middle East, generally — are bases for BEC attackers.

“Comparatively, countries in Asian and Middle Eastern are at the bottom of the list, with only 1.2% and 0.5% of BEC actors, respectively,” he said, adding a caveat: “Unfortunately, our research cannot definitively say the threat actors are Israeli — just that we have confidence they are operating out of Israel (Figure A).”

Figure A

Israel has typically been a target most recently of a series of DDoS attacks timed with the annual OpIsrael coordinated cyber attack campaign.

The study reported that, after Africa, the U.K. is the (distant) second-most prominent source of BEC attacks, accounting for 5.8% of attacks, followed by South Africa, the U.S., Turkey and Canada.

Britton said the sophistication of the attackers’ methods shows how cybercriminals, once relying on generic phishing campaigns, have had to adapt to organizations’ evolving defensive postures and employee training.

“Instead of generic phishing emails, we’re seeing the rise of highly sophisticated, socially engineered BEC attacks that can evade detection at many organizations,” he said.

According to the Abnormal study, the Israel-based attackers’ methods include:

• Spoofing the senior leaders who would actually make financial transactions.
• Using two personas, one inside and one outside the target company.
• Spoofing email addresses using real domains.
• Updating the sending display name to make it look like emails were coming from the CEO if the target organization had a DMARC policy that would prevent email spoofing.
• Translating emails into the language that their target organization would ordinarily use.

Abnormal said the framework of the attacks involves internal and external message vectors — real people, spoofed, within and outside of the target organization — with the former frequently being the targeted company’s CEO (Figure B).

Figure B

• The attack involves a message from the “executive” to the phished employee notifying them of an impending acquisition and requesting they send an initial payment.
• Then the attackers bring in an external vector, a real attorney practicing mergers and acquisitions usually in firms out of the United Kingdom, often at the global firm KPMG.

“In some campaigns, once the attack has reached this second stage, the group asks to transition the conversation from email to a voice call via WhatsApp, both to expedite the attack and to minimize the trail of evidence,” said the firm.

The study said:

• The attackers target multinational enterprises with more than $10 billion in average annual revenue.
• Across these targeted organizations, employees from 61 countries across six continents received emails.
• The average amount requested in an attack is $712,000, more than ten times the average BEC attack.
• Most emails from this threat group are written in English, but they are also translated into Spanish, French, Italian and Japanese.
• Eighty percent of attacks from this group happened in March, June-July, and October-December.

Britton said that, although the attackers are in Israel, the motivation is the same as with non-state actors: quick money. “What is interesting is that these attackers are based in Israel, which is not a country historically connected to cybercrime, and which has traditionally been a location where cybersecurity innovation is prevalent,” he said.

He said the firm has watched BEC attacks increase in severity with the amount of money requested being significantly higher than Abnormal has since in the past.

“Email has always been (and will continue to be) a lucrative attack vector for cybercriminals. Because of this, we will likely see threat actors continue to evolve their tactics, test new approaches, and become even more targeted and sophisticated in their attempts to compromise email users,” he said, adding that Slack, Zoom and Microsoft Teams are becoming more important as threat surfaces as attackers seek new entry points.

Visibility and automation are security against BECs

Beyond training potential human targets to know the signs of BEC exploits, Abnormal advocates automated defense that snags BECs before they reach a target by using behavioral AI to create a baseline for normative email traffic and can therefore ping anomalies early.

“To account for emerging threats across collaboration apps, consolidating visibility across all communications tools will significantly improve security teams’ ability to detect suspicious and malicious activity — no matter where attacks originate,” said Britton.