The BlackShadow threat group has managed to breach the Israeli hosting provider Cyberserve to steal client databases and hold them for ransom. Starting on October 29th, the company’s website was unavailable as they worked through the aftermath of the cybersecurity incident. According to the attackers, they are holding the client databases for ransom for 1 million dollars in cryptocurrency and gave the company 48 hours to pay. As proof, the group leaked 1,000 documents almost immediately. Many of the websites hosted by Cyberserve are still unavailable according to Bleeping Computer. The National Cyber Directorate told The Times of Israel that they had warned Cyberserve about an imminent cyber-attack several times in the previous days. It is unclear if Cyberserve took these warnings seriously.
BlackShadow is an Iranian-backed threat actor that has confirmed links to the Pay2Key ransomware strain. Pay2Key has continuously been used against Israeli victims. However, BlackShadow remains to be one group that is not financially motivated by their attacks. It is believed attacks like these are politically motivated between Iran and Israel, and that the ransom is just a bonus for the group.
Cyber attacks between Iran and Israel have been going on for some time. Though many of the attacks have appeared as ransomware attacks, they are actually information stealing operations that each country is conducting. Even if Cyberserve pays to keep the data out of the public’s view, BlackShadow will still have access to the data they stole. The group can use this data to carry out other attacks against Israeli-based targets. Companies should have the proper defenses in place to protect against intrusions. These can include several steps, such as the Binary Defense Managed Detection and Response service, in conjunction with the 24/7 Security Operations Task Force, to monitor and alert on suspicious activity.