After a six month investigation, Israeli police announced on
Sunday that dozens of leading Israeli companies and leading
private investigators were suspects in a massive industrial
espionage case. Eleven private investigators from prominent
agencies were arrested in addition to some eight senior
executives that allegedly hired the investigators. The
companies of the executives included Cellcom, YES, Pelephone,
Mayer Car Imports and the Tami-4 mineral water retailer. The
private investigators arrested included former Shin Bet
officials and former senior police officers.
Some observers cautioned that Israeli police have a history
of splashy announcements that turn out to be less than they
seem. The executives all denied that they had done anything
wrong, and insisted that their contracts with the
investigation firms included an explicit stipulation that no
illegal actions be taken. Police argued that when they were
given their rivals' most closely guarded internal documents,
they could hardly have failed to realize that the documents
were obtained illegally.
The private intelligence firms are suspected of having
planted a malicious computer program ("malware") in the
computers of competitors of their clients, which they then
used to extract business secrets. The type of computer
program is also known as a "Trojan horse," after a huge
wooden horse that was used by Greek soldiers to sneak into
the city of Troy to which they had been laying siege for ten
years without success. The huge horse appeared to be a gift,
but it really contained a squad of enemy soldiers inside.
The investigation is still continuing and the full extent of
the break-ins, and the value of the information stolen, is
not yet known.
The companies suspected of commissioning the espionage
include the satellite television company Yes, which is
suspected of spying on cable television company HOT; cell
phone companies Pelephone and Cellcom, suspected of spying on
Partner; and Mayer, which imports Volvos and Hondas to
Israel, is suspected of spying on Champion Motors, importer
of Audis and Volkswagens. Tami-4 is suspected of spying on
the Mei Eden mineral water supplier. Spy programs were also
located that targeted Strauss-Elite, Shekem Electric, ACE
Marketing Chains (ACE Israel), Zoglowek, the Malam Group,
Zilumatik, and the business daily Globes.
More companies may be involved as victims or as criminals.
Police have not yet read and analyzed all the material that
they have confiscated, and they do not know who was spying on
these latter companies. In some cases the material is encoded
and police have not yet managed to break the code.
Israeli investigators also think that some foreign commercial
companies were targets of the Trojan Horse spyware, as
well.
The investigation began last November when author Amnon
Jacont and his wife Varda complained to the Tel Aviv police
that someone had stolen information from their computer. They
complained after finding personal documents and parts of a
book that Jacont was writing on the Internet. They had not
given or sent the information to anyone. Police came down and
examined their computer and found that it had been infected
with a Trojan horse program.
Police investigators eventually determined that the program
had been written by Michael Haephrati, 41, a former son-in-
law of Mrs. Jacont. Haephrati, an Israeli citizen, currently
lives in Germany and England and has no previous police
record. He and his current wife were arrested in England last
week.
With the help of Interpol and London's Metropolitan Police,
Israeli investigators found that Haephrati had sold his
program to three private investigation agencies in Israel:
Modi'in Ezrachi, Zvika Krochmal and Pilosof-Balali. All three
agencies are licensed by the Israel Justice Ministry and had
enjoyed excellent reputations.
The virus, police suspect, was sent hidden inside a
promotional CD to companies. Thinking that it was part of
normal business advertising, employees would view the CDs on
their computers, but the CDs secretly deposited the Trojan
horse onto the computer system. Sometimes the virus was sent
as an attachment to emails sent to the various companies.
Once the programs were inside, Haephrati would send his
clients special codes to access the malware. Then they could
basically take off whatever they wanted, monitor the
computers in real time, and fully control the system.
Police investigators succeeded in locating several computer
servers in Israel, Germany and the US, on which the stolen
files were stored before they were passed on to the companies
that ordered them. They discovered tens of thousands of
documents there that belonged to major Israeli companies,
including many files labeled "internal" and "secret." Police
have been examining these documents to determine which
companies have been victimized.
The Trojan horse, police said, was undetectable. Two things
made those virus programs particularly difficult to detect.
One is that they entered the computer in an unusual way, from
the innocent looking CDs. Common defense programs screen
email and similar sources of programs coming from "outside"
the company, but not CDs which are used "inside." The second
point is that each program was customized by Haephrati for
each particular invasion. Anti-virus programs are set up to
look for previously known viruses, and would not recognize a
custom program as suspicious. Experts noted that a private
computer user is unlikely to be the target of a custom-
written virus.
For each customized program the agencies reportedly paid
Haephrati about NIS 16,000 per computer per month, including
support. This included planting the virus in the target
computer.
Police assessed that the investigation would eventually reach
the various companies CEOs and even owners. Investigators
said that the theft of the information caused the victims to
lose competitive bids and thousands of customers as a result
of the espionage.
"Luckily, my company's most classified information has always
been stored outside of the computer system," noted one of the
victims. However, "if it was up to me," he commented, "the
guilty parties would get the gallows."
At a hearing last Wednesday, police told the court that the
investigators are suspected of: penetrating a computer for
the purpose of committing a crime, making and propagating a
computer virus, violating the Protection of Privacy Law,
conspiring to commit a crime, wiretapping and fraud. Police
said that any direct interception of computer files and
documents is considered illegal wiretapping. Police also
suspect the three agencies of cooperating with each other to
perpetrate their industrial espionage.
The private investigators all denied that they had knowingly
done anything illegal.
The individual companies also said that they had not broken
any laws and that they were confident that none of their
officers had done anything illegal. They all pledged to
cooperate fully in the investigation.
The type of software that stole information from computers at
some of Israel's biggest and best-known companies, would "be
nearly impossible to implant in an IDF computer," an IDF
source told the Jerusalem Post. This is because the
army makes sure that all of its sensitive material is on
systems that are not connected to the Internet, which can be
accessed from anywhere in the world. Many IDF computers
cannot copy material onto disks and it is forbidden to take
out magnetic media from IDF computers.
The IDF also constantly monitors activity on its computers,
and it has many experts whose main task is to ensure the
integrity of its information.
The experts agreed that the main security factor is ensuring
that nothing is exposed to the Internet.