Skip to content

Trojan-Horse Espionage in Israel -- A Tip of an Iceberg

About one week ago, a serious commercial espionage system was discovered in Israel. For years, several large-scale companies in Israel enjoyed inside information about their competitors using private investigators who were using a Trojan horse application that was planted on victims’ workstations. More details can be found in this Globes article.

Obviously, the topic made it to the national news primarily because it involved high-profile companies in Israel, companies that “everybody knows", and because it led to the arrest of several top executives. It’s the first time such a large scale espionage act is discovered in Israel, and this is new, but the rest is not.

The technology is everything but new. I have been aware of commercial-espionage Trojan horses for a decade, and I am sure they were there long before. The technology for implanting these trojans is not new either, and so isn’t the mechanism they are likely to have used to scan the accessible data and to pass it out. The novelty of this story is that it involved high profile companies, and that it was eventually discovered. There is no reason to believe that this is the first and only Trojan-horse based espionage act against and/or by large corporations. It’s the first time we get news coverage of such acts just because this is the first time that it is discovered.

I believe there are dozens of such stories out there in Israel alone, waiting to be told, but a few mistakes that were made by the Trojan-horse author have made this story the only one that was revealed and published.

First, the issue would have never been exposed wasn’t some of the stolen data published on a web-site for all to see. Really, it doesn’t take Sherlock Holmes to figure out that data stolen by hidden methods should not be made available to the public in a way that will obviously attract unwanted attention. Wasn’t Jackont’s to-be-published book put on-line, no investigation would start and no one would look for any Trojan Horse anywhere. We may just believe that people who use malware for business espionage alone, without the “personal touch” in the shape of a desire to get at the ex-father-in-law, do not boast their findings on-line as if to trigger investigation.

Second, it seems as Haefrati, the author of the Trojan Horse, made one big mistake never to be made by malware authors: he programmed the Trojan-horse to send the stolen data to FTP servers that could be affiliated with himself. Most hackers use compromised (taken-over) computers on the net to store stolen information, such as credit-card numbers; computers that can never be linked to the hacker by visible legal means. In general, the moment one pays for the use of a server, the money draws a non-repudiated trail from the server to the legal entity of the user; a big no-no of hackers. I do not know if Haefrati paid for the use of the FTP server, but we do know that the path from him to server (and vice-versa!) was clear enough to be followed.

Third, it seems as no countermeasures were used to obfuscate the source and nature of the stolen documents. Espionage hackers are likely to be much more careful. Were simple and widely-used technologies such as asymmetric encryption and TOR’ing deployed, it would have been very hard to follow the path from the storage server back to all the victims and it would have been extremely hard to identify the material on the storage server as belonging to the victim and as being this and that data and not other.

These three mistakes are ones that are probably avoided by developers of espionage malware who employ enough manpower, time, and resources into the design of the Trojan-horse, and who have no personal involvement with any of their victims. That said, one may only wonder how many other espionage systems in similar scales were not discovered yet and may never be.


No Trackbacks


Display comments as Linear | Threaded

No comments

Add Comment

Markdown format allowed
Enclosing asterisks marks text as bold (*word*), underscore are made via (_word_), else escape with (\_).
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.
Form options

Submitted comments will be subject to moderation before being displayed.