In the middle of August we reported that a cyberattack hit one of Israel’s biggest academic institutions - Bar Ilan University.
The attack was a classic case of cybercrime - a ransomware attack that saw the university's systems (computers, networks and data) encrypted by hackers demanding a ransom to decrypt the files and release them back to their rightful owners.
The academic institutions made use of its internal team as well as external consultants and experts to address what at the time was described as “a limited event that will not prevent studies and work in the university to continue as planned.”
However, despite attempts by Bar Ilan University to play down the incident, it turns out that was only the beginning: The hacker behind the attack did not just encrypt the university's computer files, they also stole information from Bar Ilan - and a lot of it, in fact.
In a conversation with Haaretz held over the Telegram messaging app, the hackers say they have over 20 terabytes of the university’s data and are demanding 2 bitcoin for it (roughly $94,000).
This is what is called “double extortion,” with the threat of having your stolen data sold being the second threat faced by the victim - already dealing with the initial loss of data and payout demand. Having the stolen data sold could lead to additional secondary losses for the victim, who may be exposed after their information and that of their clients, for example, is sold online.
Double as well as triple extortion attacks have become increasingly common during the coronavirus pandemic, with hackers even reaching out to clients of their victims to try to pressure the latter to pay them.
- Cyberattack on Israeli University: ‘Data Being Erased Right Now’
- Pro-Palestinian Hackers Behind Phishing Campaign Targeting Israelis Expecting Mail
- This Israeli Dropout Is on the Front Lines Against Iran
We spoke with the hackers behind the Bar Ilan attack and can now reveal new information about the attack: First of all, they say they managed to hack into Bar Ilan’s network through the remote work system used - what is termed RDP, or a remote desktop protocol. VPNs and other systems like RDP that allow workers to access professional systems from home have proven to be cybersecuriity’s achilles' heel during the coronavirus and many attacks exploit remote-working systems to attack companies.
In this case, the hacker says, the system’s security was weak - or at least the password used on the infected computer was not strong enough. The computer that was actually attacked and used as a gateway to entering the rest of the university’s system was a computer that was part of Bar Ilan’s nanotechnology center in its Life Sciences Faculty. The computer was the personal computer used by one of their tenured professors (Haaretz has chosen not to publish their name).
A conversation with a hacker
In our conversation, the hackers say that the information they stole includes “personal documents, academic papers, working papers and documents, grant proposals, coronavirus research, as well as the names and emails of students and faculty, among others.”
According to the hackers, “the database is over 20 terabytes.” To back this claim and substantiate the ransom demand, the hackers even uploaded a sample file of 55 megabytes that includes different files.
Haaretz downloaded this “dump” to try to see what information was stolen. The sample file they posted, we found, includes ID numbers, drivers license, insurance policies and details, worker timecards, academic research papers, and invoices for scientific equipment that was ordered by researchers for different labs. The hackers also seem to have personal photos, most likely taken by a faculty member as part of a family event and then stored on their work computer.
During the actual attack, the hacker used the infected computers to make their ransom demand known. The use of the victims’ computers to publish a ransom note is also a new trend that has become increasingly prominent among cyber criminals during the coronavirus. At the time of the attack, the hackers demanded $10,000 for each server they had hacked into. The hackers claimed they hit 250 servers - but the reality is closer to ten in all.
“I had access to their main directory,” the hackers wrote to us over Telegram, attaching a screen capture of what they say is the main file director for the entire university’s database. The hacker requested the ransom in cryptocurrency, but it wasn't bitcoin they were initially after - but rather, they asked the university for the money to be paid out in “Monero”, another digital coin known for the anonymity it provides. However, today, as they try to sell the stolen data on the dark web, they have changed currencies and are now asking for two bitcoin, worth roughly 300,000 shekel.
When asked why they initially ask for monero and then pivoted to bitcoin, the hacker responds that it is “because bitcoin is much more popular than monero, so more people can pay with it.”
We also asked them about the negotiations they held with Bar Ilan to have the data released, specifically about their experience with the incident response team they held direct talks with.
“I don’t think the data is important to the university and the person conducting the negotiations with me was weak and was a very poor choice in terms of who was sent to have talks with me.”
The hackers, who go by the alias “Pay!”, sent Haaretz screen captures of his negotiations. They reveal that a person by the name of “Uriah” was sent to secure the data’s release through talks with the hackers. The hackers, the talks reveal, fumed at the university for not paying out the full sum after they proved to “Uriah” they held what is called the “key” needed to decrypt the stolen files he had stolen.
Bar Ilan did actually pay the hacker. Just not in full. The negotiations reveal that the university paid out a small sum of 6.6 monero - about $1,500.
“This was for the sample files. Three files for $500 a pop,” the hacker explained to us. Thus, they explain, they proved to the university that they had their files and had the key needed to decrypt them and allow the university to regain its access. However, beyond that initial sum, no more money was transferred.
Bar Ilan University, for its part, says the initial payment was “not a ransom payment. It was payment for testing the files and confirming the attacker’s identity.”
It is possible that Bar Ilan was not willing to make a deal with the hacker for the entire system for different reasons. However, the hacker is confident they will find a buyer on the darknet - “if not, I’ll see” what to do next, they say.
What happens now is all a question of the hacker’s motivation. Some cybercrime groups are motivated not just by financial moties, but also by political ones - for example, Black Shadow, the group that attacked Israael’s Shirbit Insurance, was labeled a hacktivist group also interested in embarrassing an Israeli institution and thus ended up selling the firm’s data online.
In this case, it is also possible that the hackers may want to embarrass the university by publishing its internal documents online and exposing the details of students and staff.
The academic sector has increasingly become the victim of cyberattacks, and only a few weeks ago Haaretz reported about the first case of official Chinese state hacking against Israeli targets. It targeted, among others, academic and research institutions.
Bar Ilan said in response that, “cyber threats and attacks focus on high quality targets [like Bar Ilan] because we conduct influential and life-saving research. Bar Ilan’s network has recently faced a cyberattack. Nonetheless, campus life has continued as usual and our investigation revealed that our core system was not affected.
“We view this event as a serious but rare incident and are learning it and are investing heavily in defenses to protect our research.”
They further said they were working with Israel’s official cyber authority as well as a team of experts.
“In line with the recommendations of our team of experts, the university did not pay out the ransom and did not agree to the attacker’s demands. The reason: Our experts say the data stolen is actually limited. Because the hacker didn't get what they wanted, they are now going to the media to try to increase pressure on the university.”