The constant outsider who the world’s largest companies now pay millions to hack their systems
Reuven Aronashvili, the son of Georgian immigrants to Israel, founded offensive cyber company CYE with the knowledge he acquired at secret Israeli military unit
When Reuven Aronashvili, founder and CEO of cybersecurity company CYESEC Ltd. (CYE), entered his first class in Linear Algebra at Tel Aviv University (TAU) the lecturer started yelling at him because he thought he was the maintenance guy, there to fix the air conditioning that had been out for weeks.
"Maybe I looked a little different to him,” Aronashvili, the son of two Georgian immigrants to Israel, said in a recent interview with Calcalist. “I had a lot of experiences in my life when people treated me unfairly,” he said, “but I don’t think the right way to go is to whine about it, you can also joke about it. Every time I saw that professor afterward I asked him how the air conditioning was and I ended up getting a perfect score in every one of his classes.”
When he was discharged in 2012, he turned to the business sector. Two years later, Aronashvili founded CYE using the knowledge he accumulated in the military. It is one of few companies that have a license to attack and does so with the explicit consent of companies. Its Israeli competitors include XM Cyber Ltd., founded by former Mossad head Tamir Pardo, and Candiru, which, other than reportedly raising $9 million last month, has remained under the radar for years.According to Aronashvili, CYE “goes all the way” with its attacks, acting as a real hacker would. The attack is real and not simulated, which means the company can provide a more accurate picture, he explained. “We won’t show you what a complete shutdown of a manufacturing line looks like because that could cost as much as $150 million,” Aronashvili said, “but we will show you how it can be done. We will get as far as the interface that shuts down the system and we’ll stop there. We show clients that we can steal intellectual property or otherwise secret information and that we can shut down their commercial activity or hack bank accounts.” When the stakes are extremely high, for example, when it comes to airports, trains, and infrastructure, where an attack could cost lives, CYE goes for a more traditional approach, according to Aronashvili. “Our guiding principle is to find out who can attack the organization, with what tools, and what they can gain through the attack,” he said. “Then, we can rate the levels of risk so that the company would know what it should address most urgently.” While it may sound risky to willingly let someone hack your systems, Aronashvili said clients prefer to face the reality through CYE as it poses a minimal threat, while a real attack, utilizing the same methods, could be a catastrophe.
"You see unbelievable defense tools, the cream of the crop, but then you find out that 80% of the users in the organization have passwords that can be cracked in under 30 seconds.“We don’t take a single user and try every possible password on it, instead we take all users and try two or three possible passwords on each so we don’t get locked out or alert the system of suspicious activity. Within 10 minutes of an attack, we can crack over 50% of an organization’s passwords using this method.” Now, with the massive shift towards work from home due to the coronavirus (Covid-19) pandemic, it must feel like a paradise for cyber attackers.
“People are working from home with a modem password that is usually their cell number. Attacking a private home is way easier. Some have added an additional layer of security, but if you want to target an organization you get a list of employees and just try them one by one at their homes.“Not many organizations can protect themselves from even the silliest viral attacks so the question is not whether we can avoid ever being attacked but when will we be attacked and what measures can we take to make sure the damage is minimal.”
“That’s true. There are a lot of abilities in Israel that can cause very dramatic damages in the wrong hands.
“Take Stuxnet (a malicious computer worm allegedly developed by Israel and the U.S. that attacked the Iranian nuclear system in 2011, D.B.N. and M.O.), it was one of the most severe cyberattacks to ever take place and similar methods are being used for attacks around the world to this day.“One of the most severe cyberattacks, WannaCry (a ransomware attack on thousands of computers that took place in 2017, D.B.N. and M.O.) was based on a tool leaked from the U.S. National Security Agency (NSA). Just consider the financial impact of this, not to mention that some attacks can physically kill people.”
Do you also expose attackers or just vulnerabilities?
“Quite a few times when we were attacking a system we found somebody had beat us to it. Getting rid of them is exactly what we do.“We once worked with one of the largest electricity companies in the world, with hundreds of thousands of employees and we got to a point where we had complete control over the system, and we found a lot of porn sites on the servers. Whoever hacked the company didn’t harm the organization with a malicious attack, they just used its servers as a free and stable hosting service. "There is a direct correlation between how big the organization is and how easy it is to attack it. Big organizations have a much harder time defending themselves.” According to Aronashvili, the “secret recipe” for preventing an attack is making sure it would be too expensive to be worth the trouble, compared to what the attacker may hope to gain. Aronashvili further emphasized that attacks by countries are far more difficult to protect against. So, what if North Korea attacks Moderna Inc. or Oxford University, both of whom are working on a Covid-19 vaccine?
“On such a sensitive matter, countries can choose one of two paths: they can invest a fortune in research or wait for somebody else to find a vaccine and then invest in trying to steal it. The approach traditionally attributed to China—though, not all Chinese companies, of course—is that information can be obtained using every means. The motivation here is clear. I don’t see U.S. President Donald Trump allowing Moderna to help the Chinese before the U.S. is entirely covered. The geopolitical situation is very relevant.
“I had a drive. I set goals for myself regarding where I wanted to get to. At first, they were little goals: get into university, finish my degree. Some people from the neighborhood started to work right away because they had to make money. I also needed money but I worked scoring tests because I realized that a smart job can also educate you and help you develop."It’s a type of hunger that my kids don’t experience today. When my daughter, who is five and a half, wants to know when she will be getting a phone and a tablet, you just know it’s a different kind of childhood. I’m not loving it, I am kind of sad to see my kids grow up this way. Nothing is missing for them and their lives are comfortable. The main concern is where this leaves them if they lack my drive. You need to have a hunger for something in order to make it. I’m not talking about physical hunger for food, I mean hunger for achievement.”