Cyber Toufan goes Oprah mode, with free Linux system wipes of over 100 organisations
For the past 6 or so weeks, I’ve been tracking Cyber Toufan on Telegram. They appeared in November, and they’ve been very busy and very naughty boys. They actually set up their infrastructure around October, and started owning things apparently undetected.
They’re not a lame DDoS pretend hacktivist group like NoName016 — instead, they claim to be Palestinian state cyber warriors. (Might they be Iran? Who cares?). They target orgs with interests in Israel.
They’ve been wiping systems — a lot of them — and dumping stolen data online.
To lay it out, several factors got my attention as this being unusual:
- They’re not ransomware or DDoS kids.
- They’ve compromised a lot of orgs.
- They’ve caused so much damage that many of the orgs — almost a third, in fact, haven’t been able to recover. Some of these are still fully offline over a month later, and the wiped victims are a mix of private companies and Israeli state government entities.
- I am tracking 59 orgs where they have released data dumps, and a further 40 or so who got hit in a mass MSP (Managed Service Provider) wipe.
- Three of the victims are cybersecurity vendors, and I suspect they may have access to another larger infosec vendor that they haven’t disclosed.
- Data they have published includes a complete server disk image, SSL certificates with private keys to a host of domains (which still haven’t been revoked and are still in use), SQL and CRM dumps. Even Wordpress backups, as apparently people build CRMs on Wordpress nowadays (I’m old).
The primary victims
ACE Israel
Shefa Online
Israeli National Archive
Radware
MAX Security & Intelligence
Israel Innovation Authority
Ikea Israel
Berkshire eSupply
Keter Group
ISCAR Ltd
Homecenter Israel
Israel Nature and Parks
The Academic College of Tel Aviv
Lumenis
Toyota Israel
Back2School website of H&O
Israel Ministry of Health
SodaStream
Camel Griding Wheels
RESERVED
Seacret
Carter’s-Oshkosh Israel
Hagarin
H&O Fashion
Osem-Nestle
Bermad
ZapGroup Israel
Novolog Israel
Semicom
kravitz
Biopet
GS1 Israel
Audi Dagan Insurance Agency
Ministry of Welfare and Social Security
Scope Metals Group Ltd
SpaceX
Brother Israel
Graf
Dorot
CURVER
Techno-Rezef
Ta-Supply
NaanDan
US TOOLGROUP
Strauss Group
Zoko Enterprises
TEFEN Flow and Dosing Technologies Ltd
Erco
Teldor
SuperPharm
BConnect Technologies
Allot Ltd
Palram Industries Ltd
Israel Securities Authority
ICL Industrial
A.R.I.
Carolina Lemke
Maytronics Ltd
Israel State Payment Gateway
Ones in bold are still offline. This does not include lots of smaller orgs who got wiped, as the list becomes too long to manage.
Example org, CURVER:
You may notice some tasty ones in there — for example, Allot — who sell TLS (encryption) middleware interception and safety equipment to telcos, ISPs and, Cyber Toufan allege, nation states via front companies — where the front company details themselves are listed. If you google Allot TLS, you’ll get the idea.
Cyber Toufan appear to have been careful with targeting — with all of the victims, there’s a clear link to Israel and their objective. This isn’t a ‘spray and pray’ situation, and it looks like quite a lot of work has gone into things.
I’ve seen discussion online that the victims are all customers of Signature-IT — however, from tracking it is not the whole picture. Many are — but many are not. A lot of them offer online shops. It is very clear that Signature-IT have been compromised, however, and are very much involved in what happened:
So what’s happening really?
It’s too early to say exactly what happened, but there’s several MSPs in common involved, and it seems likely there’s some kind of supply chain element — perhaps with a common DevOps library.
For example, one victim org is Graf on December 16th:
If you try visiting Graf’s website today, 12 days later, you will see the site is offline but the TLS certificate is via an Israeli company called Joomi:
Cyber Toufan actually posted an animated GIF of themselves inside Joomi’s Bitbucket account the day before:
Joomi’s Bitbucket repository is not publicly viewable, so clearly Cyber Toufan got into the chain somehow. Joomi describe themselves as: “Joomi Corporation, a software company specializing in developing open source systems” and online searches reveal they are tied into the Magento (online shop) ecosystem. Joomi are also using *drumroll* Signature-IT for hosting.
What do they do when they gain access?
From looking at victims, Cyber Toufan use Linux, and stay on Linux systems. This is smart as many orgs have little to no detection on Linux, but have invested in Windows detection instead.
They do various things, including living off the land. For example, they use the legit tool shred to delete files in an unrecoverable fashion. They use their own shell script to run Shred, and configure it so it keeps running if an admin kill -9’s the process. They shred /.
In terms of artefacts, they drop two scripts — initvm.sh (file hash 5accd9e0c215f9d10119ab8c6378e1a848b9f605955aa785f81c4a79ca0d93c0) and deploy.sh. There’s 0 AV vendor detection for these scripts, despite them wiping the root filesystem and evading termination.
Additionally, they may deploy Tor in /var/lib/tor (including just using apt or yum to install it), and configure the server as a Tor hidden service — this allows them to retain remote access, as long as outbound traffic is allowed to Tor. So even if you firewall off all incoming network traffic, if outgoing traffic is allowed they can still reach back to the server.
They will do light recon on the network for things like backup systems.
Where do they dump data, and what else do they do?
They dump data on Telegram. One modern challenge is many of the large hacking groups nowadays operate in the open on Telegram, in public Telegram groups. I think people think hackers are in hoodies, hiding everything they do. Not so: in the space year 2023, people hack with their wangs out, on Telegram.
They also like to email the customers of victims. For example, they email customers of Signature-IT, Joomi, Radware and Max Security and Intelligence.
Here’s an example email they sent to some customers:
The customer information appears to be lifted from CRM backups (which they also post online). So if you’re following along, this is about 4 layers into the compromise. They appear to use the SMTP accounts of the victims to send the emails, so they’re less likely to get flagged as spam — for example, with one campaign they used the Sendgrid account of a cybersecurity vendor.
These are not phishing emails — there’s no credential theft or malware — but they’re lobbying emails. Yes, hacks now lead to *checks notes* war lobbying. I’ll be honest, I’m not sure what Jennifer from Accounts Payable at a company 4 times removed is going to do about Gaza, but it’s certainly a novel way to raise awareness.
Additionally, the include everybody in the To: fields of the emails rather than BCC — this encourages people to Reply To All storm.
What now?
Cyber Toufan appear to have stopped for now. They finished with an image of some data from ecom.gov.il, the Israel State Payment Gateway. It appears Toufan obtained access around October.
Lessons to be learnt
- Monitor Linux systems, both anti-malware and EDR (endpoint detection and response). For example, you should have use cases to detect Tor being installed or used — along with shred being executed.
- Control outbound network connectivity from Linux. For example, your Linux boxes shouldn’t be reaching outbound to Tor nodes.
- Look for abnormally large volumes of network traffic from hosts.
- Invalidate stolen TLS certificates and move to fresh ones.
- Risk assess your MSPs. Your MSPs are risky during times of war. They are single points of hacking. If your MSP gets compromised, you may find people reaching out to you or your customers and you may find yourself without backups and service.
- You may want to manage your own additional backups of the services your MSPs provide during heightened risks.
- There is an incredible lack of knowledge in the cybersecurity industry around what happened here, despite it being a fairly big, ongoing incident involving over 100 organisations, including multiple areas of the Israeli government — hence me writing this blog. That seems odd.
Stay safe.
~g
Update 29th December 2023: I have confirmed the latest email that Cyber Toufan sent to security and infrastructure people, titled “Warning | The Cost of Complicity”, sent with from address of intel@max-security.com, was indeed sent to people in Radware’s customer and sales database, as Cyber Toufan had claimed. The sending SMTP email server is from Max Security — both security companies had a breach.
Update 30th December 2023: Cyber Toufan are still active and breaching orgs. They have emailed the customers of PTS — Production Tool Supply aka pts-tools.com, a Berkshire Hathaway company, the following message:
Dear Customers,
These are the hackers speaking. Yes, the ones responsible for wiping out and obtaining all the data of PTS Tools almost two months ago. PTS Tools sent out an email about the incident two weeks ago, trying to slither their way out of responsibility, and claiming that their systems weren’t truly compromised. We thought we’d set the record straight ourselves, and come to you from their very own mailing systems.
PTS Tools claims we only compromised a third-party, and that we don’t have all of their clients’ data. That is far from the truth. We have 100s of GBs of client data, including all customer details, orders, and shipments ever handled by PTS Tools. It is either that PTS Tools knows we have all this data, in which case they are unashamedly lying to you, or they are still clueless to the scale of the compromise. We will let you decide which is worse.
Okay, we understand why you wiped out the Israeli National Archive, the State Payment Gateway, Ikea Israel, Toyota Israel, the Israeli cyber security firms Radware and MAX Security & Intelligence, as well as hundreds of other Israeli companies. But why did you choose to wipe out the servers and databases of PTS Tools, Berkshire E-Supply, IMC, and ISCAR (and their backups)?
The answer is quite simple. Every single one of these companies either has a large office/HQ in Israel, or has chosen to sign huge financial contracts with Israeli entities. Doing business with Israel is complicity in the crimes it is currently committing, including the cold blooded murder of over 9,000 of our children. 9,000 dead children is equivalent to death toll of three 9/11’s, except every dead body is that of a lifeless infant or child.
Let it be clear: There will be no mercy for the complicit. Any organisation or entity that chooses to support those occupying our land and killing our children, whether financially, politically, or through any other means, is choosing to put themselves in the line of fire. Let this be a warning, and let PTS Tools and Berkshire E-Supply (which is still down almost two months later) be a lesson for those that wish not to entangle their businesses in the murder of our children and the destruction of their companies.
Indeed, any entity that chooses to continue in their complicity will certainly pay the price of complicity in the killing of our children.
PTS themselves had previously emailed customers about a “cyber-attack” in November:
Update 31st December 2023: Berkshire eSupply have filed a data breach notification in Maine:
Update 1st January 2024: Berkshire eSupply’s attachment to the Maine Attorney General in their data breach notification claims:
It goes on to say “Although data stored in our information systems was not accessed, and even though we were not directly involved in this incident, we continue to monitor this incident and its effect on our customer community.”
To be clear, Berkshire eSupply’s own customer information, including addresses and such, was lost in the breach and is still publicly available on Cyber Toufan’s Telegram channel to this day, in plain text — and the way Berkshire eSupply are opting to deal with the issue is wordsmith it to the Attorney General.
Update 4th January 2024: Cyber Toufan have sent another email, this time to Berkshire eSupply customers:
The prior email to PT Solutions customers is here: https://www.ar15.com/forums/General/Berkshire-Hathaway-world-s-largest-metal-working-tool-supplier-targeted-ISCAR-Ingersoll/5-2690711/
