Over the weekend, a significant software update malfunction by CrowdStrike wreaked havoc on thousands of organizations globally, with a notable impact on numerous entities in Israel. This incident, although not a cyberattack, caused substantial disruption, prompting a swift and robust response from the Israel National Cyber Directorate (INCD).

INCD's Decisive Response

Early Sunday morning, the INCD confirmed it had effectively managed the crisis that emerged in several key organizations in Israel due to the CrowdStrike software malfunction. Leveraging its extensive expertise in managing widespread crises and its deep technological familiarity with critical sectors, the directorate sprang into action.

The INCD's comprehensive approach included:

• Providing a Situation Overview: The directorate promptly assessed the scope and impact of the malfunction, ensuring all affected organizations had a clear understanding of the situation.
• Guiding Resolution Efforts: Utilizing its specialized knowledge, the INCD offered detailed guidance on resolving the malfunction, ensuring swift and effective action.
• Maintaining Communication with CrowdStrike: The directorate kept open lines of communication with CrowdStrike representatives, facilitating a coordinated response.
• Field Support: Teams from the INCD visited essential organizations, particularly in the health sector, providing hands-on assistance to restore computer functionality.

  Israel identifies Crowdstrike as cause for global Microsoft outage | World Israel Newshttps://t.co/ILAn0UzHNw++++++++++++++++++++++++++++++++++++

  — Peter Boaz Jones (@KlausClodt) July 21, 2024

Current Status and Recovery Efforts

As of now, the situation overview indicates that out of approximately 30 large and essential organizations in Israel affected by the malfunction:

• 60% have fully overcome the issue.
• 26% are in advanced stages of updating their computer stations.
• 14% are set to begin treatment today.

The impacted sectors in Israel include health, transportation, financial services, energy, communications, academia, and local government.

Threats from Exploitative Criminal and Iranian Groups

In a concerning development, the INCD identified various criminal groups and Iranian attack groups attempting to exploit the malfunction. These malicious actors sent phishing messages impersonating CrowdStrike, offering updates or technical support that contained harmful files. The directorate swiftly warned organizations and issued an alert to prevent further damage.

CrowdStrike's troubles open new doors for Israeli cyber companies.

The American company may not have been a household name in Israel or globally until this weekend's outage, but it is a major competitor to many Israeli cyber companies.https://t.co/DCCD1B6vYA

— CTech (@Calcalistech) July 21, 2024

The INCD's swift and comprehensive response to the CrowdStrike software update malfunction underscores its critical role in safeguarding Israel's cybersecurity infrastructure. Despite the challenges posed by this incident, the directorate's effective management has ensured a rapid return to operational continuity for most affected organizations, highlighting Israel's resilience in the face of technological crises.

During the weekend's chaos caused by the CrowdStrike software update malfunction, the Israel National Cyber Directorate (INCD) identified a serious secondary threat: various criminal groups and Iranian attack groups attempting to exploit the situation through phishing attacks. Here’s an in-depth look at how these phishing attacks unfolded and the measures taken by the INCD.

Nature of the Phishing Attacks

Phishing attacks are fraudulent attempts to obtain sensitive information by disguising as a trustworthy entity. In this case, the attackers impersonated CrowdStrike, the cybersecurity company at the center of the malfunction. Here’s how these phishing attacks were executed:

1. Impersonation: The attackers crafted emails and messages that appeared to come from CrowdStrike. These communications were designed to look legitimate, often using CrowdStrike's logos and branding to deceive recipients.
2. Malicious Links and Attachments: The phishing messages included links to fake updates or technical support pages and attachments purported to be software patches. These links and files contained malicious software aimed at further compromising the recipients' systems.
3. Targeted Approach: The attackers focused on organizations already affected by the CrowdStrike malfunction, knowing these entities would be desperate for a solution and more likely to fall for the phishing attempts.

   Handala Hack, the Pro-Iran hacktivist group claims they have been delivering wiper malware via phishing emails and using the Crowdstrike incident as the lure.
   
   The group almost exclusively targets Israel, regardless of this attacks legitimacy the intent to leverage the… pic.twitter.com/bwcXYzwu9K

   — CyberKnow (@Cyberknow20) July 21, 2024

INCD’s Response to Phishing Attacks

The INCD acted swiftly to mitigate the risks posed by these phishing attacks. Their response included the following key actions:

1. Immediate Alerts: As soon as the phishing attempts were identified, the INCD issued immediate alerts to all affected organizations. These alerts provided detailed information on the nature of the phishing attacks and advised on recognizing and avoiding them.
2. Guidance on Safe Practices: The INCD offered guidance on safe practices, such as verifying the sender's identity before opening any email attachments or clicking on links, using multi-factor authentication, and employing advanced email filtering techniques.
3. Collaboration with CrowdStrike: The INCD maintained close communication with CrowdStrike to ensure accurate information was disseminated and that CrowdStrike’s legitimate communications could be distinguished from phishing attempts.
4. Technical Support: The directorate provided technical support to organizations to help them implement necessary security measures. This included updates to antivirus software, network monitoring tools, and other cybersecurity defenses.
5. Monitoring and Reporting: The INCD continuously monitored the situation, collecting data on new phishing attempts and adapting its strategies accordingly. Organizations were encouraged to report any suspicious activity, helping the INCD to track and respond to ongoing threats.

   The Hacktivist group Handala is masquerading as a CrowdStrike hotfix and deploying a new wiper - CrowdWipe pic.twitter.com/ibphIyUios

   — Noa Stern Dekel (@DekelStern) July 21, 2024

Preventive Measures for the Future

In light of this incident, the INCD emphasized the importance of robust cybersecurity practices and preparedness for all organizations. Recommendations included regular training for employees on recognizing phishing attempts, routine updates and patches for software, and establishing clear protocols for responding to cybersecurity incidents.

Conclusion

The phishing attacks that accompanied the CrowdStrike software malfunction highlighted the opportunistic nature of cyber threats and the importance of vigilance and rapid response. The Israel National Cyber Directorate's proactive measures and clear communication were crucial in protecting Israeli organizations from further harm, ensuring that the path to recovery from the initial malfunction was not further complicated by malicious actors. This incident serves as a stark reminder of the ever-evolving nature of cyber threats and the critical need for robust cybersecurity infrastructure and practices.