Executive Summary

On 30 September 2024, Taldor Cyber & Security was the target of a significant cyberattack, as reported by PC.co.il and corroborated by additional industry sources. The incident did not exploit a vulnerability in any specific Taldor product or software version, but rather leveraged compromised credentials and privilege escalation within the company’s internal IT infrastructure. This event underscores the persistent threat posed by supply chain attacks and the critical importance of robust identity and access management practices. While no customer-facing products or services have been confirmed as directly affected, the nature of the attack highlights the potential for downstream risk to organizations relying on Taldor’s managed services and IT solutions. Executives and technical leaders should remain vigilant, review privileged access, and coordinate closely with their third-party providers to ensure comprehensive risk mitigation.

Technical Information

The cyberattack on Taldor Cyber & Security represents a sophisticated compromise of internal IT systems, executed through the abuse of privileged access rather than the exploitation of a discrete software or hardware vulnerability. According to all available public reporting as of 30 September 2024, including statements from Taldor and coverage by PC.co.il and ITtime, the attack was initiated via the compromise of employee credentials, which were subsequently used to escalate privileges to technician-level access within the organization’s managed service environment.

Taldor is a major Israeli IT integrator and managed service provider, offering a broad portfolio of solutions spanning infrastructure, cloud, security, software, and business process outsourcing. Its offerings include data center and networking solutions, cloud services across Azure, AWS, and private/hybrid environments, next-generation firewalls, SIEM, WAF, incident response, threat hunting, forensics, core banking, ERP, CRM, Microsoft Dynamics, SharePoint, self-service kiosks, ATM and payment solutions, and IT consulting. The attack did not target a specific product or service, and as of the publication date, no Common Vulnerabilities and Exposures (CVEs), product advisories, or version-specific vulnerabilities have been published in relation to this incident.

The technical modus operandi of the attackers aligns with several well-documented tactics, techniques, and procedures (TTPs) in the MITRE ATT&CK framework. The initial access vector appears to have been the use of compromised valid accounts (T1078), potentially obtained through phishing (T1566) or other credential harvesting techniques. Once inside the network, the attackers escalated privileges using domain accounts (T1078.002) and leveraged remote services (T1021) for lateral movement. The overarching risk is characterized as a supply chain compromise (T1195), given Taldor’s role as a managed service provider to numerous organizations across critical sectors.

No public indicators of compromise (IOCs), exploit code, or technical details regarding malware or persistence mechanisms have been released. The absence of product-specific vulnerabilities or CVEs suggests that the attack was not the result of a software flaw, but rather a failure in identity and access management controls, such as insufficient multi-factor authentication (MFA), inadequate monitoring of privileged accounts, or lack of segmentation between internal and customer-facing environments.

Threat actor attribution remains unconfirmed, but the tactics observed are consistent with the operations of advanced persistent threat (APT) groups such as OilRig (APT34), which has a history of targeting Israeli and Middle Eastern organizations through supply chain and credential-based attacks. Other groups, including Ember Bear and Sandworm Team, are also known for targeting IT providers and executing supply chain compromises. These actors typically seek to exploit trusted relationships between service providers and their clients, enabling them to pivot into downstream environments and maximize operational impact.

The potential impact of this incident extends beyond Taldor’s internal systems. Given the company’s extensive managed service portfolio, there is a non-trivial risk of downstream or supply chain effects, particularly if privileged access to customer environments was obtained or if lateral movement into client networks occurred. At this time, however, there is no public evidence to suggest that customer-facing systems or data have been compromised.

Mitigation strategies for organizations utilizing Taldor’s services should focus on reviewing and tightening privileged access controls, monitoring for unusual or unauthorized activity originating from Taldor-managed accounts or infrastructure, and coordinating with both Taldor and relevant national authorities for timely updates. General best practices include enforcing least privilege, implementing robust MFA across all privileged accounts, conducting regular audits of third-party access, and maintaining comprehensive incident response plans that account for supply chain risk scenarios.

The incident serves as a stark reminder of the evolving threat landscape facing managed service providers and their clients. Supply chain attacks are increasingly favored by sophisticated adversaries due to their potential for widespread impact and the inherent trust placed in service providers. Organizations must adopt a defense-in-depth approach, combining technical controls, continuous monitoring, and proactive vendor risk management to mitigate the risk of similar incidents.

References

PC.co.il – טלדור הותקפה בסייבר: https://www.pc.co.il/news/%D7%90%D7%91%D7%98%D7%97%D7%AA-%D7%9E%D7%99%D7%93%D7%A2-%D7%95%D7%A1%D7%99%D7%99%D7%91%D7%A8/438103/

ITtime – חברת טלדור עוברת מתקפת סייבר: https://www.ittime.co.il/cyber-attack-taldor/

Taldor Cyber & Security: https://www.taldor.co.il/%D7%A1%D7%99%D7%99%D7%91%D7%A8-%D7%95%D7%90%D7%91%D7%98%D7%97%D7%94/

MITRE ATT&CK T1195 - Supply Chain Compromise: https://attack.mitre.org/techniques/T1195/

MITRE ATT&CK OilRig Group: https://attack.mitre.org/groups/G0049/

Rescana is here for you

At Rescana, we understand the critical importance of proactive third-party risk management in today’s complex cyber threat landscape. Our advanced TPRM platform empowers organizations to continuously monitor, assess, and mitigate risks across their entire supply chain, ensuring resilience against even the most sophisticated attacks. We are committed to providing timely intelligence, actionable insights, and expert support to help you safeguard your business and maintain trust with your stakeholders.

If you have any questions about this advisory or require further assistance, please contact us at ops@rescana.com. Our team is always ready to support your cybersecurity needs.