[BreachExchange] Black Shadow hackers leak medical records of 290, 000 Israeli patients

Wed Nov 17 11:07:19 EST 2021

https://www.timesofisrael.com/black-shadow-hackers-leak-medical-records-of-290000-israeli-patients/

In its second major leak in a day, the Black Shadow hacking group on
Tuesday night uploaded what it said was the full database of personal
information from Israel’s Machon Mor medical institute, including medical
records of some 290,000 patients.

The directory reportedly includes information on patients’ blood tests,
treatments, appointments for gynecologists, CT scans, ultrasounds,
colonoscopies, vaccinations for flights abroad, and more.

The documents reportedly include correspondence from patients with requests
including medical appointments, the need for procedures and test results.

Earlier Tuesday, Black Shadow released what it said was the full database
of personal user information from the Atraf website, an LGBTQ dating
service and nightlife index.

The group uploaded the file to a channel on the Telegram messaging app
after a ransom demand of $1 million in digital currency to prevent the leak
was apparently not paid.

The group wrote, in broken English, “48 hours ended! Nobody send us money.
This is not the end, we have more plan.”

The group also posted screenshots of what it said were negotiations over
the ransom. In the images of the conversations, Black Shadow supposedly
refuses a ransom of $500,000. CyberServe denied negotiating with the
hackers.

Black Shadow is a group of Iran-linked hackers who use cyberattacks for
criminal ends, according to Hebrew media reports.

Cyber experts immediately warned against downloading the file the group had
released.

The data leak has caused concern among those users of the Atraf site who
have not publicly disclosed their sexual orientation or gender
identification.

As the ransom deadline passed on Tuesday, the group uploaded the file,
which they said contained the names of Atraf users and their locations, as
well as the HIV status that some users had put on their profiles.

Yoram Hacohen, head of the Israel Internet Association, said, “This is one
of the most serious attacks on privacy that Israel has ever seen. Israeli
citizens are experiencing cyber terrorism.”

“This is terrorism in every sense and the focus now must be on minimizing
the damage and suppressing the distribution of the information as much as
possible,” Hacohen told the Ynet news site.

He argued Telegram was partially responsible for the incident, and that
tech companies should act to limit the spread of the private information on
their platforms. He also called on Israel to use legal and technological
means to remove damaging information online.

The group had initially hacked the CyberServe Israeli internet hosting
company on Friday, taking down its servers and a number of sites, among
them Atraf.

On Sunday morning, Black Shadow said in a statement that it was “looking
for money” and would not leak further information if the ransom was paid
within 48 hours.

“If we have $1 million in our [digital] wallet in the next 48 hours, we
will not leak this information and also we will not sell it to anybody.
This is the best thing we can do,” the hacking group said, noting that it
was in possession of users’ chat content, as well as event ticket and
purchasing information.

The hackers said that they had not been contacted by anyone in the Israeli
government or CyberServe. The hackers said the lack of contact showed it
was “obvious [the hack] is not an important problem for them.”

Israel’s National Cyber Directorate said Sunday it had previously warned
CyberServe that it was vulnerable to attack.

The cyber attack also hit other websites, including the Israeli public
transportation companies Dan; Kavim, a children’s museum; tourism company
Pegasus; and Doctor Ticket, a service that could have sensitive medical
data, according to Hebrew media.

Black Shadow claimed responsibility for the attack and published what it
said was client data including the names, email addresses, and phone
numbers of Kavim clients on Telegram.

Hours later, the group said it had not been contacted by authorities or
CyberServe, so it released another trove of information, including what it
said was data pertaining to clients of the Dan transportation company and a
travel agency.

The group breached Israel’s Shirbit insurance firm in December last year,
stealing data. It demanded a $1 million ransom and began leaking the
information when the firm refused to pay.

The new attack comes after an unprecedented, unclaimed cyberattack wrought
havoc on Iran’s gas distribution system this week, which Tehran officials
have blamed on Israel and the United States.

Iran and Israel have been engaged in a so-called “shadow war,” including
several reported attacks on Israeli and Iranian ships that the two have
blamed on each other, as well as cyberattacks.

In 2010, the Stuxnet virus — believed to have been engineered by Israel and
its ally the US — infected Iran’s nuclear program, causing a series of
breakdowns in centrifuges used to enrich uranium.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211117/1cfe1cbd/attachment.html>