{ "id": "9bf29ff8-7f0e-404f-a99a-6274792bb32d", "created_at": "2026-04-06T00:09:43.688709Z", "updated_at": "2026-04-10T13:11:39.935598Z", "deleted_at": null, "sha1_hash": "c2f56c2aad2e109515c5f41dc836755796b832dd", "title": "Hackers Plundered Israeli Defense Firms that Built ‘Iron Dome’ Missile Defense System", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 986312, "plain_text": "Hackers Plundered Israeli Defense Firms that Built ‘Iron Dome’\r\nMissile Defense System\r\nPublished: 2014-07-30 · Archived: 2026-04-02 10:42:01 UTC\r\nThree Israeli defense contractors responsible for building the “Iron Dome” missile shield currently protecting\r\nIsrael from a barrage of rocket attacks were compromised by hackers and robbed of huge quantities of sensitive\r\ndocuments pertaining to the shield technology, KrebsOnSecurity has learned.\r\nThe never-before publicized intrusions, which occurred between 2011 and 2012, illustrate the continued\r\nchallenges that defense contractors and other companies face in deterring organized cyber adversaries and\r\npreventing the theft of proprietary information.\r\nA component of the ‘Iron Dome’ anti-missile system in operation, 2011.\r\nAccording to Columbia, Md.-based threat intelligence firm Cyber Engineering Services Inc. (CyberESI),\r\nbetween Oct. 10, 2011 and August 13, 2012, attackers thought to be operating out of China hacked into the\r\ncorporate networks of three top Israeli defense technology companies, including Elisra Group, Israel Aerospace\r\nIndustries, and Rafael Advanced Defense Systems.\r\nBy tapping into the secret communications infrastructure set up by the hackers, CyberESI determined that the\r\nattackers exfiltrated large amounts of data from the three companies. Most of the information was intellectual\r\nproperty pertaining to Arrow III missiles, Unmanned Aerial Vehicles (UAVs), ballistic rockets, and other technical\r\ndocuments in the same fields of study.\r\nhttps://krebsonsecurity.com/2014/07/hackers-plundered-israeli-defense-firms-that-built-iron-dome-missile-defense-system/\r\nPage 1 of 6\n\nJoseph Drissel, CyberESI’s founder and chief executive, said the nature of the exfiltrated data and the industry\r\nthat these companies are involved in suggests that the Chinese hackers were looking for information related to\r\nIsrael’s all-weather air defense system called Iron Dome.\r\nThe Israeli government has credited Iron Dome with intercepting approximately one-fifth of the more than 2,000\r\nrockets that Palestinian militants have fired at Israel during the current conflict. The U.S. Congress is currently\r\nwrangling over legislation that would send more than $350 million to Israel to further development and\r\ndeployment of the missile shield technology. If approved, that funding boost would make nearly $1 billion from\r\nthe United States over five years for Iron Dome production, according to The Washington Post.\r\nNeither Elisra nor Rafael responded to requests for comment about the apparent security breaches. A spokesperson\r\nfor Israel Aerospace Industries brushed off CyberESI’s finding, calling it “old news.” When pressed to provide\r\nlinks to any media coverage of such a breach, IAI was unable to locate or point to specific stories. The company\r\ndeclined to say whether it had alerted any of its U.S. industry partners about the breach, and it refused to answer\r\nany direct questions regarding the incident.\r\n“At the time, the issue was treated as required by the applicable rules\r\nand procedures,” IAI Spokeswoman Eliana Fishler wrote in an email to KrebsOnSecurity. “The information was\r\nreported to the appropriate authorities. IAI undertook corrective actions in order to prevent such incidents in the\r\nfuture.”\r\nDrissel said many of the documents that were stolen from the defense contractors are designated with markings\r\nindicating that their access and sharing is restricted by International Traffic in Arms Regulations (ITAR) — U.S.\r\nState Department controls that regulate the defense industry. For example, Drissel said, among the data that\r\nhackers stole from IAI is a 900-page document that provides detailed schematics and specifications for the Arrow\r\n3 missile.\r\nhttps://krebsonsecurity.com/2014/07/hackers-plundered-israeli-defense-firms-that-built-iron-dome-missile-defense-system/\r\nPage 2 of 6\n\n“Most of the technology in the Arrow 3 wasn’t designed by Israel, but by Boeing and other U.S. defense\r\ncontractors,” Drissel said. “We transferred this technology to them, and they coughed it all up. In the process, they\r\nessentially gave up a bunch of stuff that’s probably being used in our systems as well.”\r\nWHAT WAS STOLEN, AND BY WHOM?\r\nAccording to CyberESI, IAI was initially breached on April 16, 2012 by a series of specially crafted email\r\nphishing attacks. Drissel said the attacks bore all of the hallmarks of the “Comment Crew,” a prolific and state-sponsored hacking group associated with the Chinese People’s Liberation Army (PLA) and credited with stealing\r\nterabytes of data from defense contractors and U.S. corporations.\r\nImage: FBI\r\nThe Comment Crew is the same hacking outfit profiled in a February 2013 report by Alexandria, Va. based\r\nincident response firm Mandiant, which referred to the group simply by it’s official designation — “P.L.A. Unit\r\n61398.” In May 2014, the U.S. Justice Department charged five prominent military members of the Comment\r\nCrew with a raft of criminal hacking and espionage offenses against U.S. firms.\r\nOnce inside the IAI’s network, Comment Crew members spent the next four months in 2012 using their access to\r\ninstall various tools and trojan horse programs on systems throughout company’s network and expanding their\r\naccess to sensitive files, CyberESI said. The actors compromised privileged credentials, dumped password hashes,\r\nand gathered system, file, and network information for several systems. The actors also successfully used tools to\r\ndump Active Directory data from domain controllers on at least two different domains on the IAI’s network.\r\nAll told, CyberESI was able to identify and acquire more than 700 files — totaling 762 MB total size — that were\r\nexfiltrated from IAI’s network during the compromise. The security firm said most of the data acquired was\r\nintellectual property and likely represented only a small portion of the entire data loss by IAI.\r\n“The intellectual property was in the form of Word documents, PowerPoint presentations, spread sheets, email\r\nmessages, files in portable document format (PDF), scripts, and binary executable files,” CyberESI wrote in a\r\nlengthy report produced about the breaches.\r\nhttps://krebsonsecurity.com/2014/07/hackers-plundered-israeli-defense-firms-that-built-iron-dome-missile-defense-system/\r\nPage 3 of 6\n\n“Once the actors established a foothold in the victim’s network, they are usually able to compromise local and\r\ndomain privileged accounts, which then allow them to move laterally on the network and infect additional\r\nsystems,” the report continues. “The actors acquire the credentials of the local administrator accounts by using\r\nhash dumping tools. They can also use common local administrator account credentials to infect other systems\r\nwith Trojans. They may also run hash dumping tools on Domain Controllers, which compromises most if not all\r\nof the password hashes being used in the network. The actors can also deploy keystroke loggers on user systems,\r\nwhich captured passwords to other non-Windows devices on the network.”\r\nthe attackers infiltrated and copied the emails for many of Elisra’s top executives, including the CEO,\r\nthe chief technology officer (CTO) and multiple vice presidents within the company.\r\nThe attackers followed a similar modus operandi in targeting Elisra, a breach which CyberESI says began in\r\nOctober 2011 and persisted intermittently until July 2012. The security firm said the attackers infiltrated and\r\ncopied the emails for many of Elisra’s top executives, including the CEO, the chief technology officer (CTO) and\r\nmultiple vice presidents within the company.\r\nCyberESI notes it is likely that the attackers were going after persons of interest with access to sensitive\r\ninformation within Elisra, and/or were gathering would be targets for future spear-phishing campaigns.\r\nDrissel said like many other such intellectual property breaches the company has detected over the years, neither\r\nthe victim firms nor the U.S. government provided any response after CyberESI alerted them about the breaches at\r\nthe time.\r\n“The reason that nobody wants to talk about this is people don’t want to re-victimze the victim,” Drissel said. “But\r\nthe real victims here are the people on the other end who are put in harm’s way because of poor posture on\r\nsecurity and the lack of urgency coming from a lot of folks on how to fix this problem. So many companies have\r\nbecome accustomed to low-budget IT costs. But the reality is that if you have certain sensitive information,\r\nyou’ve got to spend a certain amount of money to secure it.”\r\nANALYSIS\r\nWhile some of the world’s largest defense contractors have spent hundreds of millions of dollars and several years\r\nlearning how to quickly detect and respond to such sophisticated cyber attacks, it’s debatable whether this\r\napproach can or should scale for smaller firms.\r\nMichael Assante, project lead for Industrial Control System (ICS) and Supervisory Control and Data Acquisition\r\n(SCADA) security at the SANS Institute, said although there is a great deal of discussion in the security industry\r\nabout increased information sharing as the answer to detecting these types of intrusions more quickly, this is only\r\na small part of the overall solution.\r\nmaybe a $100 million security program can do all these things well or make progress against these\r\ntypes of attacks, but that 80-person defense contractor? Not so much.\r\n“We collectively talk about all of the things that we should be doing better — that we need to have better security\r\npolicies, better information sharing, better detection, and we’re laying down the tome and saying ‘Do all of these\r\nhttps://krebsonsecurity.com/2014/07/hackers-plundered-israeli-defense-firms-that-built-iron-dome-missile-defense-system/\r\nPage 4 of 6\n\nthings’,” Assante said. “And maybe a $100 million security program can do all these things well or make progress\r\nagainst these types of attacks, but that 80-person defense contractor? Not so much.”\r\nAssante said most companies in the intelligence and defense industries have gotten better at sharing information\r\nand at the so-called “cyber counter-intelligence” aspect of these attacks: Namely, in identifying the threat actors,\r\ntactics and techniques of the various state-sponsored organizations responsible. But he noted that most\r\norganizations still struggle with the front end of problem: Identifying the original intrusion and preventing the\r\ninitial compromise from blossoming into a much bigger problem.\r\n“I don’t think we’ve improved much in that regard, where the core challenges are customized malware, persistent\r\nactivity, and a lot of noise,” Assante said. “Better and broader notification [by companies like CyberESI] would be\r\ngreat, but the problem is that typically these notifications come after sensitive data has already been exfiltrated\r\nfrom the victim organization. Based on the nature of advanced persistent threats, you can’t beat that time cycle.\r\nWell, you might be able to, but the amount of investment needed to change that is tremendous.”\r\nUltimately, securing sensitive systems from advanced, nation-state level attacks may require a completely\r\ndifferent approach. After all, as Einstein said, “We cannot solve our problems with the same thinking we used\r\nwhen we created them.”\r\nIndeed, that appears to be the major thrust of a report released this month by Richard J. Danzig, a board member\r\nof the Center for New American Security. In “Surviving on a Diet of Poison Fruit,” (PDF) Danzig notes that\r\ndefensive efforts in major mature systems have grown more sophisticated and effective.\r\n“However, competition is continuous between attackers and defender,” he wrote. “Moreover, as new information\r\ntechnologies develop we are not making concomitant investments in their protection. As a result, cyber\r\ninsecurities are generally growing, and are likely to continue to grow, faster than security measures.”\r\nIn his conclusion, Danzig offers a range of broad (and challenging) suggestions, including this\r\ngem, which emphasizes placing a premium on security over ease-of-use and convenience in mission-critical\r\ngovernment systems:\r\n“For critical U.S. government systems, presume cyber vulnerability and design organizations, operations and\r\nacquisitions to compensate for this vulnerability. Do this by a four-part strategy of abnegation, use of out-of-band\r\narchitectures, diversification and graceful degradation. Pursue the first path by stripping the ‘nice to have’ away\r\nfrom the essential, limiting cyber capabilities in order to minimize cyber vulnerabilities. For the second, create\r\nnon-cyber interventions in cyber systems. For the third, encourage different cyber dependencies in different\r\nsystems so single vulnerabilities are less likely to result in widespread failure or compromise. And for the fourth,\r\ninvest in discovery and recovery capabilities. To implement these approaches, train key personnel in both\r\noperations and security so as to facilitate self-conscious and well- informed tradeoffs between the security gains\r\nand the operational and economic costs from pursuing these strategies.”\r\nhttps://krebsonsecurity.com/2014/07/hackers-plundered-israeli-defense-firms-that-built-iron-dome-missile-defense-system/\r\nPage 5 of 6\n\nSource: Center for New American Security\r\nSource: https://krebsonsecurity.com/2014/07/hackers-plundered-israeli-defense-firms-that-built-iron-dome-missile-defense-system/\r\nhttps://krebsonsecurity.com/2014/07/hackers-plundered-israeli-defense-firms-that-built-iron-dome-missile-defense-system/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://krebsonsecurity.com/2014/07/hackers-plundered-israeli-defense-firms-that-built-iron-dome-missile-defense-system/" ], "report_names": [ "hackers-plundered-israeli-defense-firms-that-built-iron-dome-missile-defense-system" ], "threat_actors": [ { "id": "dabb6779-f72e-40ca-90b7-1810ef08654d", "created_at": "2022-10-25T15:50:23.463113Z", "updated_at": "2026-04-10T02:00:05.369301Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "APT1", "Comment Crew", "Comment Group", "Comment Panda" ], "source_name": "MITRE:APT1", "tools": [ "Seasalt", "ipconfig", "Cachedump", "PsExec", "GLOOXMAIL", "Lslsass", "PoisonIvy", "WEBC2", "Mimikatz", "gsecdump", "Pass-The-Hash Toolkit", "Tasklist", "xCmd", "pwdump" ], "source_id": "MITRE", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b", "created_at": "2022-10-25T16:07:23.480196Z", "updated_at": "2026-04-10T02:00:04.626125Z", "deleted_at": null, "main_name": "Comment Crew", "aliases": [ "APT 1", "BrownFox", "Byzantine Candor", "Byzantine Hades", "Comment Crew", "Comment Panda", "G0006", "GIF89a", "Group 3", "Operation Oceansalt", "Operation Seasalt", "Operation Siesta", "Shanghai Group", "TG-8223" ], "source_name": "ETDA:Comment Crew", "tools": [ "Auriga", "Cachedump", "Chymine", "CookieBag", "Darkmoon", "GDOCUPLOAD", "GLOOXMAIL", "GREENCAT", "Gen:Trojan.Heur.PT", "GetMail", "Hackfase", "Hacksfase", "Helauto", "Kurton", "LETSGO", "LIGHTBOLT", "LIGHTDART", "LOLBAS", "LOLBins", "LONGRUN", "Living off the Land", "Lslsass", "MAPIget", "ManItsMe", "Mimikatz", "MiniASP", "Oceansalt", "Pass-The-Hash Toolkit", "Poison Ivy", "ProcDump", "Riodrv", "SPIVY", "Seasalt", "ShadyRAT", "StarsyPound", "TROJAN.COOKIES", "TROJAN.FOXY", "TabMsgSQL", "Tarsip", "Trojan.GTALK", "WebC2", "WebC2-AdSpace", "WebC2-Ausov", "WebC2-Bolid", "WebC2-Cson", "WebC2-DIV", "WebC2-GreenCat", "WebC2-Head", "WebC2-Kt3", "WebC2-Qbp", "WebC2-Rave", "WebC2-Table", "WebC2-UGX", "WebC2-Yahoo", "Wordpress Bruteforcer", "bangat", "gsecdump", "pivy", "poisonivy", "pwdump", "zxdosml" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434183, "ts_updated_at": 1775826699, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c2f56c2aad2e109515c5f41dc836755796b832dd.pdf", "text": "https://archive.orkl.eu/c2f56c2aad2e109515c5f41dc836755796b832dd.txt", "img": "https://archive.orkl.eu/c2f56c2aad2e109515c5f41dc836755796b832dd.jpg" } }