Israeli Firm Manages to Recover Systems After Massive Cyberattack

Shirbit recovered 90 percent of its system but negotiations with suspects continue. The insurance company revealed that over 2,000 documents were leaked, including at least 130 ID cards belonging to their clients

Amitai Ziv
Amitai Ziv
Send in e-mailSend in e-mail
Send in e-mailSend in e-mail
Computer hacker illustration
Computer hacker illustrationCredit: Getty Images IL
Amitai Ziv
Amitai Ziv

The Israeli insurance firm Shirbit managed to successfully recover about 90 percent of its systems during the first 24 hours of the cyberattack which saw its data breached and information on its clients leaked online. The company’s website, which has been down in recent days, is expected to go back online soon, the firm said Sunday.

The firm is already in the forensic stage of the attack, no simple task because the attackers deleted – among other things – the log files which documented their entrance and activities within the Shirbit systems.  

Meanwhile, negotiations with the attackers continue. The current working assumption by the professional cyber teams working with Shirbit is that this is not a ransom attack with financial motives. The suspects were reluctant to negotiate with Shirbit which is common during such attacks. 

The motivation for the attack remains unclear but a variety of explanations are discussed, ranging from revenge for a bad business deal or personal vendetta, to an ideologically motivated attack targeting Israeli organizations. 

Shirbit has declared that over 2,000 documents have been leaked, including at least 130 ID cards belonging to their clients. The firm has already reached out to those whose information was compromised. Many times, the victims had no idea their information had made its way online. 

An examination revealed that only three people had their personal credit card information published online - the cards have since been blocked. At this point, it is still unclear how the attackers broke in and what exactly was the vulnerability they exploited. Official government bodies are aiding the insurance firm. 

The hackers managed to breach Shirbit’s computer network and steal large amounts of data – hundreds of megabytes, if not much, much more – from the company’s servers at the beginning of last week. They got their hands on employees’ pay slips, claims filed by customers – including insurance appraisers’ reports and hospital records, for example – as well as a large number of customer ID documents.

After the second deadline passed, the Black Shadow hacker group published a new slew of threats: "THE END"Credit: Telegram / Screen Capture

Since then, the attackers have been gradually leaking more and more of the information online, a technique known as “data dumping,” or just dumping. Every such dump exposes more personal information and makes the challenge of containing the breach that much harder. Dumps are also supposed to increase pressure on the victims to payout. 

Only two days after the attack, the hackers sent a ransom note demanding 50 bitcoins – just shy of $1 million – in return for halting publication of the stolen information online. The hackers said they would double the ransom amount if it was not paid on time, and then triple it again after another 24 hours.

All the experts, including those actually involved handling the incident and who have seen all the materials and details, say that at this stage all signs indicate that the hackers don’t really want money. It seems that they are a group that began the campaign for ideological and anti-Israel reasons – and then discovered they had hit the jackpot.

The group demanding the ransom has not been identified from previous attacks. Usually, a group’s modes of operation or even the techniques they deploy can be used to attribute attacks to certain actors. However, the way this group - Black Shadow - is behaving is not like with other ransom cases. As a result, it seems to experts there is little reason to negotiate with them as even if the ransom is paid, it is far from certain that the group will cease dumping information online.

“The ‘manufacturers’ of ransomware have a reputation to maintain,” said attorney Jonathan Klinger, who specializes in internet and information law, about what is termed in the industry as threat actors, or hacker teams. “Every such organization has a history and knows that if they are paid they will not release the files they stole – otherwise they will lose their credibility and thus the ability to get paid next time.”

The Shirbit attackers, on the other hand, seem to want to sow destruction and create a PR embarrassment for the Israeli company. They could be amateurs, but they also could be a group with a foreign country behind them, too. For now, the former is the more common assessment.

Click the alert icon to follow topics: