In its latest attack on an Israeli company, Black Shadow leaked data from a number of companies serviced by the Israeli internet company Cyberserve, including Atraf, the Kavim and Dan bus companies and the tour booking company Pegasus.
The latest attack was announced by the group on Friday, with Black Shadow claiming that it had damaged the servers. Cyberserve is a web hosting company, meaning it provides servers and data storage for other companies across industries. The data seized by the hackers covers a wide variety of businesses: from travel bookings company Pegasus to the Dan bus company and even the Israeli Children’s Museum.
Black Shadow claimed on its Telegram channel on Sunday that neither government officials nor Cyberserve contacted them about their ransom demand, so they had decided to allow the public to provide the $1 million ransom they were demanding. “It is obvious this is not an important problem for them,” said the group. “We know everybody is concern about ‘Atraf’ database. As you know we are looking for money.”
The group promised that if it got the ransom, it would not leak the information of about one million people it had collected from Atraf. The group did not make any promises about any of the other data it had collected.
The Agudah – The Association for LGBTQ Equality in Israel and the Israel Internet Association advised those affected by the cyberattack to make sure to change their usernames and passwords and to use strong passwords. The two stressed that in any incident of ransom demands or blackmail, those affected should contact Israel Police.
“The natural human tendency may succumb to the demands of the attackers, but past experience shows that there is no guarantee that the personal content will be removed. Moreover, it is an opening that may lead to additional ransom demands,” stressed that two organizations. The two also advised those affected to notify social media platforms if their information is published on social media.
Those affected in the LGBTQ+ community can contact a hotline setup by the Agudah between the hours of 5 p.m. and 7 p.m. and between 7:30 p.m. and 10:30 p.m. Sunday through Thursday at *2982 and on WhatsApp at 058-620-5591.
Yigal Ono, the head of the National Cyber Directorate, told Army Radio on Sunday that Black Shadow appears to be a criminal group with an “anti-Israeli scent,” adding that “it could be because they’re of one origin or another, but it is not fundamentally different from what is happening all over the world.”
Cybersecurity consultant Einat Meyron stated in response to the most recent Black Shadow account that “the identity of the attacking group is a little less important.”
“On the part of the attacked companies – for insurance and reputation reasons it is clear that they will want to attribute the attack to Iran. In practice, there is no need to make it easier for attackers by refraining from exercising basic defenses,” added Meyron.
The cybersecurity consultant additionally stressed that “it is necessary to prove beyond any doubt that this is an Iranian group and it is neither trivial nor significant because of the effect of the slander and because an Iranian attribution does not necessarily indicate it was an ‘Iranian mission.'”
Meyron further explained that it is unlikely that a group working for the Iranian regime would “waste energy” on records from random sites, but rather would aim to cause significant damage to crucial infrastructure.
In December, in response to the Shirbit cyberattack, Zohar Pinhasi, CEO of cyber security service MonsterCloud, told The Jerusalem Post that the claims that Black Shadow wanted to strategically harm Israel and is not looking for money were “nonsense.”
“This claim is repeated in every sector that is attacked and in every country. The hack is almost always first and foremost a ransom attack and on a financial basis. This is also the case in the Shirbit attack,” said Pinhasi, who is also a former IT security intelligence officer in the IDF, at the time. “The Pandora’s box has opened and now the company is trying to downplay the severity of the hack and frame it as a matter of ‘national security’ to prevent damage to their reputation and come out as alright with the regulator and customers,” he said.
Ben Zion Gad contributed to this report.