In early 2021, a team from Sygnia was called in to deal with an intrusion into the systems of a US technology company that develops and manufactures Wi-Fi equipment, and that has a $15 billion market cap. The company received an anonymous email demanding a ransom payment of 50 Bitcoins (about $1.9 million at the time), in exchange for restoring confidential information stolen from its systems, and revealing the back door that made the hack possible. After the company refused to pay, the attacker posted some of the information publicly.
A team of five staffers from Sygnia, a Tel Aviv-based company that employs mainly people who have served in the IDF’s 8200 signals intelligence unit, first examined the source of the hack and discovered that the theft of data and code had begun as early as December 10, 2020, about a month before the ransom demand. The intruders used a VPN to disguise their Internet address, but close monitoring revealed a surprising detail.
At around three o’clock in the morning of December 22, the attacker’s IP address suddenly changed. Sygnia’s people were stunned to discover that the address belonged to the computer of none other than a senior employee of their client, someone who had even been an active participant in investigating the break-in. It turned out that the error that revealed the real IP address occurred after the employee’s home Internet crashed briefly and disconnected the VPN.
A strange bird in the Israeli high-tech sector
Following the discovery, the company fired the employee and passed the information to the FBI, who raided the employee’s home in Portland, Oregon. During the investigation, it was discovered, among other things, that he had used his PayPal account to purchase a subscription for the same VPN service he later used to disguise the hack of the company. In his defense, the employee claimed that someone had stolen his password to purchase the VPN. In December, 2021 the FBI officially arrested the employee, who is expected to stand trial on a series of charges, the principle one carrying a maximum sentence of 20 years in prison.
Sygnia – which Forbes magazine termed “The Delta Force of Information Security” – was founded in 2015 by Team8, the Israeli cybersecurity think-tank and company creation platform, and four founders: Shachar Levy, Ariel Smoler, Arick Goomanovsky, and Ami Kor. In its first three years, the company raised a modest $4.3 million. In 2018, Temasek, the Singapore government’s giant holding company, acquired about 80% of Sygnia at a valuation of $250 million. Temasek is now exercising its option to acquire the remaining 20% of Sygnia, which currently employs a staff of 150, located mostly on two floors in Tel Aviv’s Alon Towers.
Although it has been around for years, Sygnia’s operations have mostly remained under the radar, and are now being fully revealed for the first time. In many ways, Sygnia is a strange bird in the Israeli high-tech sector, very different from most of its high-tech neighbors in the Alon Towers. Unlike the majority of Israeli high-tech companies, Sygnia does not develop and sell products to customers, but is instead a consulting and services company.
The primary service provided by Sygnia is diagnostics and consulting for enterprises regarding their information security strategy. This includes operating “Red Teams” that simulate hack attacks on the organization to locate vulnerabilities. In this area, Sygnia competes with the world’s largest accounting and consulting firms such as Boston Consulting Group and McKinsey, which also offer diagnostics.
Sygnia’s second and more interesting service is a real-time response to cyber incidents. As part of this service, Sygnia teams are called in by customers, (in the past physically, and in the Covid-19 era, mostly virtually), to investigate cyberattacks around the world, stop intruders from progressing, disconnect them from the Internet, and repair the breach.
Customers come by word of mouth
Payment for such work will start at tens of thousands of dollars for a relatively small project, continue to $100,000-200,000 for a task force working for two weeks, and can reach up to a million dollars in the case of a long, large and complex event. The market leader in this field is Mandiant, a company founded in 2004 by a former US Air Force cyber-fraud researcher that is currently traded at a $4 billion market cap. According to recent reports, Microsoft is interested in acquiring Mandiant.
Other players in the field are companies that develop products to protect computers and mobile phones and, as an ancillary product, also provide incident response services for cyber incidents, such as US-based CrowdStrike and Israel’s Cyberzen.
Since the acquisition by Temasek, four of Sygnia’s founders have left the company. Over the past year, it has been managed by CEO Ram Elboim, himself a former 8200 officer, a former entrepreneur, and a former director at Verint. In conversation with Globes, Elboim talks about the change in concept the company is currently going through: “In the past, we considered ourselves a boutique company dealing with the most sophisticated attacks by state and criminal organizations, so we didn’t need exposure. But in my opinion, to grow significantly, we need to be known.”
Elboim declined to disclose customer names on the grounds of confidentiality agreements. All names that appear in this article come from previous reports in Israel or abroad, such as Sygnia’s involvement in investigating a cyberattack on Ben-Gurion University of the Negev, or an independent investigation by Globes based on general case studies published by Sygnia. Elboim also refused to comment on revenue, but market sources estimate it at about $30-40 million last year, and that the company has been profitable from the beginning.
When it was founded in 2015, Sygnia initially targeted the large US legal market. Law firms, especially those handling transactions involving Chinese and Russian companies, have experienced many intrusions and attacks coming from these countries. These purpose of these break-ins was to uncover economic information and intellectual property belonging to the Russian and Chinese companies, sometimes to give their competitors in those countries a competitive edge. Since then, Sygnia has expanded, and today it also provides services to huge international corporations.
The development of the cyber-attack market
In recent years, cyber-attacks have become more specialized and commercialized. One model that has gained momentum worldwide is Ransomware as a Service (RaaS), where professional gangs develop the tools, capabilities and working methods needed to carry out ransomware attacks. These tools are then rented out to operators around the world for a share of the profits, usually 20% -30%.
Both attack tool developers and the attackers themselves are not at great risk, because they make sure to operate only in countries other than their own. Any arrest would require a long process of international cooperation between police. For example, the tools of malware developer BlackByte, a group recently identified by US authorities, are coded not to encrypt the data of systems that use Russian or languages of countries of the former Soviet Union, presumably so as not to be embroiled with the authorities in its home country, believed to be Russia.
A rare instance of a gang that has developed a cyber-attack weapon being arrested happened early this year. The tool developed and distributed by the REvil gang had been involved in some of the largest cyberattacks in recent years. Last May, for example, REvil’s malware shut down production at the JBS meat processing plants in Australia, Canada and the US, forcing the company to pay $11 million in Bitcoin to end the attack. In January, in atypical fashion, Russian authorities announced they had arrested the gang members, and confiscated about $5.5 million in cash, as well as 20 luxury cars.
According to a BBC podcast broadcast last July, REvil’s malware was used to infiltrate the Harris Federation network of school academies, where some 38,000 students from low-income families study. The hackers encrypted large amounts of data, made it inaccessible, and at the same time copied information from the school’s files, and threatened to sell it, a method known as “Double Extortion.” The attackers demanded a $4 million payment from the Harris Federation, an amount that was later doubled. To stop the hack attacks from progressing, all the computers on the school’s network were shut down – even the electronic doors and gates did not work.
The school did not pay the ransom and some of the information was indeed published on the Dark Net. During the negotiations, however, and aided by Sygnia’s team, the vulnerability that enabled the infiltration to take place was identified and blocked. 40,000 computers in schools were then scanned in a five-week process to make sure none of REvil’s software malware was on them. The event cost the school half a million pounds.
Some cyber-attackers enjoy not only government protection, but even active government support. This is the case with the Iran-backed Charming Kitten group, which has been operating against targets in Israel and the US since 2014. Initially, the group’s goal was solely to gather information relevant to Iran, but recently it has also been linked to ransomware attacks to extort money.
Sygnia found Charming Kitten’s fingerprints all over an attack on an Israeli service provider in late 2021. The group broke through a known vulnerability in Microsoft’s mail server and from there tried to advance within the network and, using a technique called “lateral movement,” obtain additional permissions to additional servers. After identifying the hackers’ entry point, Sygnia’s team was able to detect an error in Charming Kitten’s tool settings. The mistake exposed the group’s 150 potential targets in Israel and the information was transferred to the Israel National Cyber Directorate.
Elboim argues that if a state intelligence organization targets a specific company and directs its capabilities towards it, it will likely be impossible to fend off the attack. “But remember that not every group supported by the government of Iran or another country is so sophisticated, and they won’t always invest all their resources in attacking a particular organization,” Elboim explains. “These groups often act opportunistically to exploit known vulnerabilities that haven’t yet been fixed. They aren’t targeting one specific organization – they’re trying to attack ten organizations and see who they can get to first.”
Attack effects and after-effects
Dealing with cyberattacks is a technological matter, but it also has a psychological component. Being hacked can be a very unpleasant surprise for an organization, and can lead to improper responses. The assumption that the attack is an inside job – which in most cases turns out to be untrue – only adds to the pressure and hysteria.
“The reaction of an inexperienced organization that’s panicking can be devastating,” Elboim says. “The organization might wipe its servers, delete logs, and make changes to the network that will actually allow an attacker to move deeper. Responses like these can notify attackers that they’ve been detected, and cause them to immediately take actions that they’d intended to wait on. A hacker that’s been detected will try to disguise their actions making them even harder to detect. And ill-considered messages to the stock exchange and regulators can create unnecessary panic and adversely affect a company’s results. “
Targets may still feel anxious, even long after an attack has ended. Sygnia lore tells of a CEO at a large enterprise whose inbox was tracked by hackers for four years, with many trade secrets stolen. Two years after the attack was neutralized, the CEO’s computer suffered a minor technical glitch. In light of past experience, the CEO was so alarmed, he demanded a Sygnia team fly in over the ocean immediately to check his computer, in case he had been attacked again.
Published by Globes, Israel business news – en.globes.co.il – on March 2, 2022.
© Copyright of Globes Publisher Itonut (1983) Ltd., 2022.