Executives of top telecom firms accused of spying on each other. A jealous ex-husband suspected of monitoring his former in-laws. Private investigators implicated in computer-hacking-for-hire; one now involved in a possible attempted suicide. So much bad publicity, government officials worry it might impact the entire nation’s economy.
At the center of it all — a tiny computer program that’s caused the biggest corporate scandal anyone in Israel can remember.
Most consumers have heard of software that can spy on them, and their computers. Such malicious software is often brazenly marketed to spouses who suspect their mate is cheating. But that same technology, sometimes called a Trojan horse, because it sneaks onto a victim’s computer in disguise, can be used to commit brazen acts of industrial espionage.
And U.S. experts say what happened in Israel could — and probably already has — happen here.
Israel is now reeling from what some are calling “Trojangate,” a corporate scandal that has dominated news coverage there since it was revealed May 29. Already, there have been nearly 20 arrests. Published reports indicate mountains of documents have been stolen from dozens of top Israeli firms. Some 100 servers loaded with stolen data have been seized.
But Trojangate, experts say, is not unique. It’s just the first time a major cyber-espionage case has been unmasked by law enforcement. There's evidence suggesting U.S. firms have already been targeted by similar attacks.
Last fall, banks in the New York area were targeted by a program designed to infect only certain financial institution computers and obtain critical bank passwords, according to Webroot Software’s Richard Stiennon, who studies emerging threats for the anti-spyware firm. At the time, he was an analyst with the Gartner research firm, and he helped the banks complain to their anti-virus providers.
Also last year, anti-virus firm MessageLabs discovered a Trojan horse designed specifically to attack a type of software used only in airplane design.
“The phenomenon should worry everyone,” said Baruch Gindin, managing director of Gartner's Middle East operations, based in Israel. “There is nothing unique to Israel here. The technology is simple to use. This is a moral issue rather than a technology issue.”
The coming of ‘targeted attacks’
Some call the program used in the Israeli case a computer virus; others, spyware. But whatever the lingo, those doing the Internet's really dirty work are much more subtle than their predecessors. The authors of the Melissa and LoveBug viruses wanted to infect as many computers as possible. Those who make adware and spyware want to hijack as many machines as possible and display as many pop-up ads as they can, or steal as many passwords as they can.
But the program used in Israel, , takes a very different tactic. It’s narrowly focused. It doesn’t call attention to itself. And it operates well below the radar of most modern anti-virus and anti-spyware products. Those computer safety products generally rely on lists of known malicious programs, which they hunt for on a user’s computer. But to do so, the security firms need to know what they are looking for. Before the Israeli investigation was revealed two weeks ago, no one in the security industry had a copy of Rona, so anti-spyware and anti-virus software didn't spot it.
“The problem for anti-virus companies was they couldn’t detect this threat because they hadn’t seen a sample,” said Maksym Schipka, a London-based virus expert at MessageLabs. “The scary part of this story is for one and a half years nobody even thought they may be infected. Nobody could imagine they had malware installed on their system.”
That’s why experts say the next great Internet threat, and perhaps the first very real threat, is the advent of what are being called "targeted attacks." Targeted attacks, by hackers for hire, could steal millions of dollars worth of corporate secrets and never be detected. That's far more dangerous than pranksters overwhelming a Web site with traffic for a few hours.
Assessing the size of the corporate espionage problem has always been a challenge; companies struck by it rarely speak out. But privacy expert Larry Ponemon, a former auditor who was at Price-Waterhouse Coopers five years ago when it published the most recent landmark study on espionage, says its far more common than many realize.
“Unless you've been on the inside you don't understand how pervasive this problem is," he said.
In 1999, PriceWaterHouse Coopers said U.S. firms lose $45 billion to espionage, nearly twice the estimate given a few years before by the FBI.
High-tech tools can only be making things worse, Ponemon said. Hiring employees to infiltrate the competition, or to dig through their trash, as Oracle’s Larry Ellison did five years ago to spy on Microsoft, is hard work. Particularly when there’s a simpler way.
Electronic dumpster diving
Rob Douglas is a former private investigator who now runs PrivacyToday.com. In his prior life he said he committed what he believes were several acts of legally permissible industrial espionage — hunting for what his clients called “competitive intelligence.” One time he was paid $10,000 to attend a trade show, pose as a company executive and buy a competitor’s technology. His employer planned to reverse engineer the hardware to see if their technology had been copied. In another incident, he was paid by a boating association to “dumpster dive” on another boating association for corporate data the association had discarded as trash.
While Douglas said he believes the surreptitious use of Trojan horse software is clearly illegal, he fears that for some unscrupulous private investigators stealing such data remotely is simply the next logical step.
“This is the electronic version of dumpster diving,” he said. “For private investigators that would spend hundreds of hours dumpster diving, digging through dirty trash, with all the risks you have, electronic dumpster diving is much easier. And it's 100 percent accurate. You’re not digging through junk, bags of dog poop thrown in the trash, that kind of thing.”
Discussion lists for private investigators were abuzz with Trojan talk after the Israeli incident. Private investigators rarely publicly disclose their methods, but many PI Web sites do sell such spying software, designed to evade detection by anti-virus and anti-spyware computers.
Six months ago, Ponemon said, he would have dismissed the possibility of a Trojangate in the U.S. But a research project he’s now conducting for his current firm, The Ponemon Institute, has convinced him otherwise. He’s placed a computer with fake critical business documents on the Internet, a honeypot, designed to entice hackers and study their techniques. What he’s learned: Virus writers are now authoring programs designed specifically to look for documents flagged as “confidential” or "critical." They’ve also built software that can quickly index information on spy-software attacked computers — a sort of Google for economic espionage —to make sorting through mountains of stolen data easy.
“I'm starting to believe it could be much more common,” Ponemon said. “If you asked me this question three or four months ago, I would say we're giving too much credit to the criminal. But we are starting to see these technologies. … I'm really worried now.”
Security consultants like Ponemon are hamstrung in what they can say by non-disclosure agreements; their claims of massive data theft sometimes fall flat — or suffer utter disbelief — without the supporting details. That’s why the Israeli incident is both important and fascinating for security experts; it offers a glimpse of the world of economic espionage rarely seen by outsiders. It is perhaps the first definite proof that this kind of thing actually happens.
Jealousy and booby-trapped CDs
The tale has all the makings of a made-for-TV movie. The only reason authorities caught on, apparently, was jealousy. The scheme unraveled when Israeli author Amnon Jackont stumbled on portions of a book he was writing — but had not published or shared with anyone — on the Internet. After initial confusion, Jackont suspected his computer was bugged. His suspicions soon focused on his daughter's ex-husband, Michael Haephrati; the couple went through a messy divorce eight years ago.
When police investigated Jackont's computer they say they found the "Rona" Trojan horse program and were able to trace it back to Haephrati, who now lives in Britain. The investigation quickly widened, however, as police uncovered scores of other bugged computers. In addition to what reads like a who's who of Israel's telecom industry, victims included the local divisions of Hewlett-Packard and the Ace hardware chain.
Police accuse Haephrati, 41, of selling the program to private investigators, knowing they intended to use it to commit corporate espionage. In addition to Haephrati, executives from three of Israel's biggest private investigative firms have been arrested. One, 54-year-old Yitzhak Rath, who heads the Modi'in Ezrahi agency, fell from a three-story building earlier this week. Rath sustained head and spinal cord injuries, according to the Israeli newspaper Haaretz. Police are unsure whether it was an accident, an attempted suicide or even an attempted murder.
Gindin said the attackers were clever — they apparently send CD-ROMs with business proposals to the target firms. Once the CDs were loaded, the Trojan horse was secretly installed. The CDs were often sent to marketing managers and others who would be in a position to have early knowledge of company product development, he said.
How common are such cases?
John Fialka, author of "War by Other Means: Economic Espionage in America," wrote seven years ago about the threat U.S. firms face from widespread espionage efforts. The drama of the Israeli incident doesn't surprise him.
“People seem shocked when it happens. They shouldn’t. The threat has always been there. The risk is huge,” Fialka, now a reporter at The Wall Street Journal, said.
“There’s not more information because companies keep it a secret," he said. "There is incredible disinformation that surrounds this area. If you are a big corporation and you find a Trojan horse in your computer, the first problem you have is, ‘Do you tell anybody or just absorb the information?’ ”
There's no question that the technology is easily accessible. Stiennon, from anti-spyware firm Webroot, says there are currently 4,000 known pieces of spyware in the world, capable of copying and transmitting every key typed on a computer to a spy. And, as was the case with the Rona spyware, a would-be spy can always take an existing keystroke-logging program and alter it slightly so it slips under the radar of anti-virus programs — creating a targeted attack that could go undetected for months.
Still, Stiennon is not among the crowd who thinks U.S. firms are busily spying on each other this way.
“My guess is it would be as rare as Enron-style fraud,” he said. “It wouldn't surprise me if it’s going on; but it would surprise me a lot if it was common everywhere.”
Richard Smith, a noted cybersleuth who runs ComputerBytesMan.com, has much the same perspective. He said he thinks the risk of cybersnooping on competitors would be too steep for most U.S. firms, who would pay a dear public relations price if exposed.
“It’s got to be going on to some degree. But I don't think name-brand companies would be doing this,” he said.
'Our guard should be up'
There are other risks from targeted attacks, however: hacktivists, who wanted to disrupt U.S. firms, would likely be eager to expose the inner workings of companies they were targeting. And this method would be an easy way to do it.
“A company could be hurt very badly,” Smith said. “I see that as a huge risk, a company being embarrassed in the public eye.”
Fialka, the espionage author, said he sees the threat in broader terms. He says foreign governments, particularly China, have targeted U.S. business intelligence for years. While U.S. firms might not spy on other U.S. firms, the threat of nation-sponsored electronic corporate espionage is real.
“Our guard should be up, but it’s not,” he said.
Gadi Evron, an Internet security manager for the Israeli government, also sees things that way. He says he was approached twice in the computer underground with hacker-for-hire offers; he turned both down, but learned there is plenty of easy money to be made in a world where corporate intelligence is so valuable, and remote hacking is so easy. Reportedly, companies were paying $4,000 for each hijacked PC in the Trojangate case.
“Today, the business case behind Trojan horses is significant,” Evron said. “This used to be a game of kids trading candies. Today, the money involved is quite significant. … I'd say that this kind of thing is commonplace globally.”