When the Researcher Became his Research Subject
Today one year ago (November 17th, 2021), a nation executed an influence operation against me in their most notorious media outlet managed by the country's armed wing loyal to the regime. Supported by a nation-state-sponsored APT group, the media exposed some personal information of mine and photos from Instagram. Not only doxing - but the media outlet also called me a "Senior officer in the Israeli army" and attributed all the attacks that happened to this country to me. After a year, I decided to share my story.
November 16th 2021 was a really great day. I participated in a panel at a medical-related cybersecurity conference. I spoke about my role at the CTI League and some lessons learned. The audience of this conference were CISOs of hospitals from Israel, not long after the attack against Hillel Yafe hospital. After this panel, I went to the office. My position as Head of Intelligence (back then, the Threat Intelligence Strategic Leader) was not relevant to the country that targeted me, as it was relevant to my previous position. I finish this great day by participating in Cyberwarcon 2021. A day full of things that were part of my new life.
On November 17th, 2021, I was in a meeting with one of the analysts in our SOC. I suddenly got a call from an unknown number from this country. I didn't answer and started to get more and more calls. I finished my meeting and started to research. I've done multiple cyber cognitive types of research before, but that was the first time I became my own research subject. In the meantime, many people called and sent messages, threatening and cursing me. I discovered the article and all the follow-up articles multiple media outlets made, including in my country. The national media outlet made a cover story about me, claiming they exposed my secret identity (that wasn't so secret at all; anyone who searched my name in google knows that). The media outlet claimed I was a senior officer in the Israeli army, a commander who executes all the attacks against this country. Alongside these claims, the media outlet spice the article with photos, personal details, and social media accounts.
It's not the first 'doxing' this country did, but that was the first time they chose to highlight a cyber researcher that impacted them and spread lies about him. The fascinating aspect is that I didn't focus on researching these types of attacks for a few months, and if they genuinely monitored any activity of mine as they claimed, they knew it. It didn't matter to the people that this country sicced against me.
I felt like two roads diverged in front of me. The first road is to answer this attack publicly, to respond, to keep focusing on the life I had. A road of the past, continue being the cyber researcher I was. The second road is to ignore the campaign, as I did when I was the subject of other influencing operations. A road of the future - if I have a different position and do different things, why should I return to fight battles that are not mine anymore? Although I wasn't relevant anymore to the subject for a few months, I'm guessing that was the moment I understood that after ten years of working on a specific intelligence subject - it's part of my past. As you can understand, I chose to move focus on the future ahead of me.
I decided to take this influence campaign as the most decisive proof I would ever have of the impact that I've made on the global level. It wasn't just happened in a vacuum - it was the last chord for a ten-year journey. I feel good about this decision. A good friend of mine once told me, "When the conscience is clean, you can rest at ease" - I believe it from the bottom of my heart. I know I've been impacted, and I feel good that I did the right thing. I hope I am intent on keeping contributing.
I believe it's time to speak up after a year. For the cyber threat intelligence researchers that read it, I would recommend knowing who's on the other side; you can find yourself becoming the target. It is part of the risk we take. Knowing what happened to me might help you prepare for similar things.
I also want to thank everyone who supported and was there for me this year. Multiple people from the industry told me this year, "this is such a crazy story! You have to write something about it". Here we go.