As hackers behind an attack on an Israeli insurance firm this week promised, they released online stolen information after the company refused to pay its ransom within 24 hours, in what it and experts say is an ideologically motivated cyber attack.
The hackers, who identify as “Black Shadow”, had already released some of the files they had stolen from Shirbit, a prominent Israeli car insurance firm, who said it was hacked at the beginning of the week, with workers’ and clients’ data compromised.
The information now released included images of ID cards and driver’s licenses, as well as photo albums that appear to be from internal company events. More egregiously, the attackers started to leak online medical reports of insured customers, which includes Israeli officials. The massive amount of information may be just the tip of the iceberg.
The Black Shadow group demanded that Shirbit pay out almost a million dollars within 24 hours or have the information stolen from them sold online. The hackers demanded 50 bitcoin ($950,000) and threatened to double and then triple the amount should the Israeli company refuse to pay.
After the deadline passed, the hackers also published purported screen captures of its negotiations with a Shirbit representative.
Meanwhile, the company is expanding its team of advisers. It started with White Hat but added cybersecurity firm Konfidas to manage the crisis. The working assumption is that the attackers are what is termed “hactivists” who are ideologically motivated.
The hypothesis is that the hack was initially not driven by financial motives and only after the breach did the attackers discover that they were sitting on a trove of valuable information and decided to demand a ransom, which was rejected.
- ‘You have 24 hours’: Hackers demand $1m ransom from Israeli firm
- Hackers break into leading Israeli insurance firm, leak personal details
- 'Operation Quicksand': Iran-linked hackers target Israel in 'new cyberwar phase'
The company and its team of cyber experts suspect the hackers are a group with little to no experience in the field of ransom attacks.
Given this working assumption, the company issued a statement that read: “Shirbit announced that it decided not to meet the ‘ransom demands,’ and to continue using all means to protect the information of clients and employees. The company is being assisted by a host of official entities involved in managing the incident. During negotiations that went on all night long, all the professionals came to the sweeping conclusion that cyber-terror has an interest in causing strategic harm, as there isn’t any financial incentive behind it.”
The company stated that it decided not to meet the demands. “Company officials continue to follow every development and are informing its customers regularly as necessary,” it announced.
“Shirbit operates in coordination with and with the support of the national cyber authority, the securities authority, the Israel Police, the privacy authority and other state bodies. The firm also hired the services of top-of-the-line experts, specialists in managing cyberattacks, conducting negotiations and crisis management.”
Shirbit CEO Zvi Leibushor added, “The company will not surrender to terrorism of this kind and will use the means at its disposal to protect company clients and the information found in the company, in coordination with state authorities, which are helping closely to manage the incident.”
Meanwhile, cybersecurity firm ClearSky issued a brief report on the incident, confirming the conclusion that the group’s modus operandi indicates that its initial motivation for the attack was ideological.
ClearSky also pointed at a series of failures in managing Shirbit’s security system, like leaving servers exposed to the web and failure to update the company’s VPN, which made it easier for hackers to break into the organizational network. It is also dumbfounding how the attackers managed to pull out enormous amounts of material from the servers without sounding any alarm bells.
It seems these failures are incompatible with the mandatory rules for “managing cyber risks” as the insurance supervisor issued a number of years ago.
The coronavirus has seen a massive uptick in cyber crime. The cyber-attack on Shirbit is the latest in a string of attacks targeting Israeli firms. These include a cyber-attack on the firm Sapiens in June and another on chip manufacture Tower Semiconductor in September that caused it to temporarily halt production. It is possible that there have been other cases that remain unknown to the public. Ransomware attacks are often resolved quietly, with the victim paying out, and they have become a daily occurrence across the world.