16.02.23
Editorial Note
On Sunday, February 12, the computer servers of the Technion in Haifa were targeted by a cyber attack, as announced by the university. The university disconnected the computer systems until it completed its investigation. An email allegedly sent by the hacking group Darkbit reveals they demanded 80 bitcoins, or some $1,750,000, in ransom.
According to the Technion, classes are taking place as usual despite the attack.
The wording of the Darkbit email that followed the attack included anti-Israel rhetoric. It said, “We regret to inform you that we’ve had to hack Technion network completely and transfer ‘all’ data to our secure servers… Keep calm, take a breath and think about an apartheid regime that causes troubles here and there. They should pay for their lies and crimes, their names and shames. They should pay for occupation, war crimes against humanity, killing the people (not only Palestinians’ bodies, but also Israelis’ souls) and destroying the future and all dreams we had. They should pay for firing high-skilled experts,”
In an interview, Alex Steinberg, a product manager at the cyber security firm ESET, explained that “the motivation to steal information from the institute could stem from a number of reasons. Firstly, countries like Iran, China, and Russia, could benefit greatly from the information. Additionally, they may want to steal the information to sell it for a profit,” he said. “In the ransom note, it seems that the attackers are demanding a monetary sum, but it could be a façade for other purposes… Some sources indicate that security and private entities in Israel are requesting to conduct in the Technion research whose results are not intended for publication. Hopefully, sensitive information didn’t leak as a result of the attack.”
In 2021, Bar-Ilan University was also the subject of a cyber-attack when the hackers demanded $2.5 million. Bar Ilan refused to pay, and as a result, the hackers leaked hundreds of thousands of personal information of students and faculty. The media notes that the cyber-attack was carried out by an Iran-linked group named Agrius.
Checkpoint, the Israeli cyber security firm, reported that, on average, Israeli educational institutions are targeted by hackers 3,383 times per week. Checkpoint explained that hackers prefer educational organizations due to their valuable personal data and the scant investment in cyber security.
Interestingly, Tasnim, the Iranian news agency based in Tehran, reported on the Technion cyber ransomware attack. They noted the attack came about a fortnight after a massive cyber attack targeted several Israeli chemical companies operating across “the occupied territories.” Tasmin explained that on January 30, a group of hackers launched a massive cyber-attack on Israeli chemical companies and “warned” engineers and workers to “quit their posts before they suffer severe repercussions of the Tel Aviv regime’s relentless violence against Palestinians.” In their words, “Our message to chemists working in the chemical factories is to leave their job, look for a new one, and take refuge in a place where we are not present. This is while we have a strong presence anywhere.” A message by the “Electronic Quds Force” stated, “We confirm that your work in chemical factories poses danger to your lives; however, we will never hesitate to melt your bodies with chemicals next time an act of aggression is perpetrated against Palestinians.”
Meanwhile, Tomas Meskauskas, the founder, author, and editor of PCrisk, a cyber security portal that informs Internet users about the latest digital threats, offers removal and decryption options of the DarkBit ransomware.
IAM will report on the investigation once it is published.
References
https://www.ynetnews.com/business/article/syjobiuti
Leading Israeli research institute falls prey to cyberattack
In ransom note littered with anti-Israel rhetoric, hackers threaten to leak Technion’s data online if demands not met within five days
Roei Hahn, Yuval Mann | published: 02/12/23 | 16:02
Computer servers at the Technion Institute of Technology in Haifa were targeted by a cyberattack overnight Sunday, a spokesperson for the university confirmed in a statement.
According to the statement, all of the university’s computer systems have been disconnected deliberately until a probe sheds light on the extent and intent behind the attack.
While the academic institute did not divulge information about the nature of the attack, in an email that reached Ynet and was allegedly sent by the group – going by the name Darkbit, hackers demanded that Technion pay 80 bitcoin, or about $1,750,000, in ransom.
The hacker group threatened to increase the requested sum by 30% if their demands are not met within 48 hours, and put all of the university’s data up for sale on the web after five days.
Despite the attack, classes at the Technion took place as usual on Sunday, with students being asked to disconnect their personal computers from the local network and minimize email traffic until further notice.
Cybersecurity experts recommend against paying ransom for two reasons: firstly, there is no guarantee the attackers will keep their word and return the stolen information, and secondly, paying ransom encourages hackers to continue targeting other companies and organizations.
The wording of the email that followed the attack is littered with anti-Israeli rhetoric, which suggests the attack was motivated by ideological reasons, and not greed.
“We regret to inform you that we’ve had to hack Technion network completely and transfer ‘all’ data to our secure servers,” the attackers wrote in the email, “Keep calm, take a breath and think about an apartheid regime that causes troubles here and there. They should pay for their lies and crimes, their names and shames.”
“They should pay for occupation, war crimes against humanity, killing the people (not only Palestinians’ bodies, but also Israelis’ souls) and destroying the future and all dreams we had. They should pay for firing high-skilled experts,” the mail read.
Alex Steinberg, a product manager at cybersecurity firm ESET, explained that “the motivation to steal information from the institute could stem from a number of reasons. Firstly, countries like Iran, China, and Russia, could benefit greatly from the information. Additionally, they may want to steal the information to sell it for a profit.”
“In the ransom note, it seems that the attackers are demanding a monetary sum, but it could be a façade for other purposes,” Steinberg added. “Some sources indicate that security and private entities in Israel are requesting to conduct in the Technion research whose results are not intended for publication. Hopefully, sensitive information didn’t leak as a result of the attack.”
This isn’t the first attack targeting an academic institute in Israel. In 2021, Bar-Ilan University also fell prey to a ransomware attack in which hackers demanded around $2.5 million.
The university refused to pay the sum, resulting in the hackers leaking hundreds of thousands of personal records of students and academic faculty. The cyberattack was reportedly carried out by an Iran-linked hacker group known as Agrius.
According to data from cybersecurity firm Checkpoint, Israeli educational institutions are targeted by hackers 3,383 times per week on average, twice as often as other organizations.
The company explained that educational organizations are a preferred target for hackers due to the valuable personal data they hold and relatively scant investment in cybersecurity.
==============================================
Cyberattack Targets Israel’s Technion University
February, 14, 2023 – 09:12 World news
TEHRAN (Tasnim) – A top Israeli technology school and a center for cyber security education came under a ransomware attack by a group of hackers.
The attack on the Technion University came nearly a fortnight after a massive cyberattack targeted Israeli chemical companies operating across the occupied territories.
According to the Walla news site, the cyberattack was carried out by a group called Darkbit, which demanded 80 bitcoins from Technion, which is equivalent to $1,747,971.
The group has also said that the amount will go up by 30% if the ransom is not received within 48 hours.
“You will receive a decrypting key after the payment. Notice that you just have 48 hours. After the deadline, a 30% penalty will be added to the price. We put data for sale after 5 days,” DarkBit wrote in a message on the university website.
“We’re sorry to inform you that we’ve had to hack Technion network completely and transfer all data to our secure servers. So, keep calm, take a breath and think about an apartheid regime that causes troubles here and there,” DarkBit group wrote in the mail.
“They should pay for their lies and crimes, their names and shames. They should pay for occupation, war crimes against humanity, killing the people … and destroying the future and all dreams we had. They should pay for firing high-skilled experts,” the hacker group further mentioned.
The group also shared a TOX messenger ID through which individuals can contact them to recover their personal files. DarkBit has claimed that the files are encrypted using AES-256 military-grade algorithm.
“Any try for recovering data without the key (using third-party applications/companies) causes permanent damage,” DarkBit wrote.
The university said it is postponing scheduled exams due to the ransomware attack, but classes will continue as usual. Its website remained inaccessible at the time of writing.
Back on January 30, a group of hackers launched a massive cyberattack on Israeli chemical companies, warning their engineers and workers to quit their posts before they suffer severe repercussions of the Tel Aviv regime’s relentless violence against Palestinians.
“Our message to chemists working in the chemical factories is to leave their job, look for a new one, and take refuge in a place where we are not present. This is while we have a strong presence anywhere,” Russia’s Arabic-language RT Arabic television news network cited the message published by the Electronic Quds Force.
It added, “We confirm that your work in chemical factories poses danger to your lives; however, we will never hesitate to melt your bodies with chemicals next time an act of aggression is perpetrated against Palestinians.”
===================================================
New cybercrime group calling itself DarkBit attacks Israeli university
It’s not yet clear who is behind the group, but the name could have connections to other ransomware variants such as DarkSide and LockBit.
FEBRUARY 13, 2023
A general view taken from the Mount of Olives shows an Israeli flag with houses in Jerusalem’s predominantly Arab neighbourhood of Silwan appearing in the background, on January 2, 2023. (Photo by AHMAD GHARABLI/AFP via Getty Images)
Apreviously unknown cybercrime group attacked an Israeli technical university over the weekend, demanding $1.7 million in bitcoin as payment for what the attackers claim are the Israeli government’s “lies and crimes” ranging from occupation to war crimes to tech layoffs.
The Israel Institute of Technology, also called Technion, announced the attack on Twitter midday Sunday, and on Monday tweeted that the school remained “under a challenging cyber attack,” calling it a “complex event,” according to a Google translation. Around the same time, the online malware repository vx-underground posted a photo purporting to show the ransom note in which the group identified itself as “DarkBit” and demanded 80 Bitcoin.
Image posted to the DarkBit Telegram channel
The school said Monday services were slowly returning to normal, but its website remained inaccessible Monday morning U.S. time. The school said in one of its tweets that it had “proactively blocked all communication networks.”
Advertisement
DarkBit launched a Telegram channel on Saturday and claimed responsibility for the attack on the school, calling it “the technological core of an apartheid regime,” and threatening more attacks on entities affiliated with Israel. It’s not yet clear who is behind the group. The name could be seen as an amalgamation of older, established ransomware variants DarkSide and LockBit, and the demand of 80 Bitcoin follows an established ransomware pattern. But the ransom note seems designed to evoke the appearance of hacktivism, with the references to war crimes and occupation.
“While this attack had the characteristics of a ‘usual’ large scale ransomware attack (asking for 80btc to release the encrypted files), the way the group delivered their message and the overall political sentiment they used, and the threats, make us believe it’s ideologically driven and not a pure financial ransomware attack,” Messing said. “We expect them to continue to threaten the leakage of information, and also possibly act on the threat, in an attempt to embarrass the university and threaten its faculty, students and partners.”
Gil Messing, spokesperson at Israeli cybersecurity company Check Point, told CyberScoop in a statement that the company believes DarkBit “are linked to a different ideological group with possible connections to Iran” based on a both technical and non-technical factors. Messing noted the creation of the Telegram channel the day before the attack, as well as hacking into and manipulating the school’s LinkedIn account:
Screenshot of a post made to the university’s jobs page on LinkedIn (Check Point)
Israel’s education sector is targeted roughly 3,400 times per week, compared to 1,600 per week for the overall national average, Messing noted, and universities there have been targeted by ideological hackers from Iran in the past.
Advertisement
“The university is a quality target for hackers and they are still in the process of understanding the scope of the attack, which servers are impacted and what data is encrypted,” he said. “This will take some time before the full picture becomes clearer.”
==================================
*הודעה חשובה* הטכניון נמצא תחת מתקפת סייבר. היקפה של המתקפה ואופיה מצויים בבדיקה. כדי לבצע את תהליך איסוף המידע והטיפול בו, אנו נעזרים במיטב המומחים בתחום, בטכניון ומחוצה לו, ומתואמים עם הרשויות המוסמכות. הטכניון חסם בשלב זה באופן יזום את כל רשתות התקשורת.
Translate Tweet
================================
*הודעת עדכון* לבית הטכניון שלום, הטכניון נתון במתקפת סייבר מאתגרת. מדובר באירוע מורכב והחזרה לשגרה מלאה תארך זמן.
Translate Tweet
================
DarkBit (.Darkbit) ransomware virus – removal and decryption options
Also Known As: DarkBit virus
Type: Ransomware
Damage level:
Written by Tomas Meskauskas on February 14, 2023
https://www.pcrisk.com/removal-guides/26015-darkbit-ransomware
Dear Colleagues,
We’re sorry to inform you that we’ve had to hack Technion network completely and transfer “all” data to our secure servers.
So, keep calm, take a breath and think about an apartheid regime that causes troubles here and there.
They should pay for their lies and crimes, their names and shames. They should pay for occupation, war crimes against humanity,
killing the people (not only Palestinians’ bodies, but also Israelis’ souls) and destroying the future and all dreams we had.
They should pay for firing high-skilled experts.
Anyway, there is nothing for you (as an individual) to be worried.
That’s the task of the administration to follow up our instruction for recovering the network.
But, you can contact us via TOX messenger if you want to recover your files personally. (TOX ID: AB33BC51AFAC64D98226826E70B483593C81CB22E6A3B504F7A75348C38C862F00042F5245AC)
Our instruction for the administration:
All your files are encrypted using AES-256 military grade algorithm. So,
1. Don’t try to recover data, because the encrypted files are unrecoverable unless you have the key.
Any try for recovering data without the key (using third-party applications/companies) causes PERMANENT damage. Take it serious.
2. You have to trust us. This is our business (after firing from high-tech companies) and the reputation is all we have.
3. All you need to do is following up the payment procedure and then you will receive decrypting key using for returning all of your files and VMs.
4. Payment method:
Enter the link below
hxxp://iw6v2p3cruy7tqfup3yl4dgt4pfibfa3ai4zgnu5df2q3hus3lm7c7ad.onion/support
Enter the ID below and pay the bill (80 BTC)
–
You will receive decrypting key after the payment.
Notice that you just have 48 hours. After the deadline, a 30% penalty will be added to the price.
We put data for sale after 5 days.
Take it serious and don’t listen to probable advices of a stupid government.
Good Luck!
“DarkBit”
israel-academia-monitor.com 