Written by AJ Vicens
In October, a little-watched group of hackers called Black Shadow went public with data it appeared to have stolen from an Israeli LGBTQ app and stunned users in what was apparently supposed to be sending a message.
The violation was the result of a major incident at Cyberserve, a web hosting company that also served confidential information from the Machon Mor Medical Institute – what including medical data to around 290,000 patients – and other companies that had information about Israeli citizens. While the international media sorted the aftermath of the break-ins, security staff reminded observers that the same group of hackers had attacked Shirbit, an Israeli insurance company, in December 2020 a series of escalating ransom payments that analysts suspected that they weren’t motivated by money at all.
Instead, experts now say the recent surge in activity by Black Shadow – a group that is still surrounded by mystery despite seeming consistent with the interests of the Iranian government – is the latest Evidence of an expanding conflict between Iranian actors and external actors, especially Israel. While both sides have reportedly used hacking resources to target data theft and conventional espionage, Black Shadow appears to be an attention-grabbing effort that is more akin to an intelligence operation, experts say.
The fact that the group published data such as user account names and passwords on the LGBTQ dating site Atraf, including sexual orientation and HIV status, betrays the intent of the attack, experts say.
“You are amazed at the high sensitivity of the information they tried to publish,” said Lionel Sigal, a former Israeli intelligence official and current head of cyber threat intelligence at CYE, an Israel-based cyber security firm.
The model of combined hacking with information operations apparently aimed at creating embarrassment or swaying public opinion is not new. That the Black Shadow incidents roughly coincided with a simmering digital conflict between Iran and Israel – a large number of Petrol pumps in Iran hacked and taken offline in late October apparently to instill anger at the government – brings new lessons.
“It’s a strategic way countries can send messages to each other or create some kind of deterrent,” Sigal said. “I think it’s a growing phenomenon.”
Black Shadow’s approach seems straight forward: hack targets that have some connection with the Israeli government or that could be used to terrorize Israeli citizens. Announce that the company has been hacked, which will get maximum media coverage, then demand a ransom that grows exponentially in a short period of time.
The key to the approach is to publish data either on websites or through Telegram channels. The Israeli government has successfully lobbied the chat platform to remove some accounts, but others are quickly emerging under different names.
The group is believed to be operated in partnership with the Iranian government, Sigal and others say, as part of the constant back-and-forth between the two countries that includes both cyberattacks and physical actions.
A website allegedly owned by Black Shadow is posting data that appears to have been stolen during their hacking, such as an entry with personal identification data of Israelis dated Nov. 18, taken from old Shirbit data. The site was originally registered in 2016 but went inactive in November 2017 according to internet registration records. It was rebuilt in May of this year and started posting links to download the data stolen in the group’s hacks and remains accessible.
An attempt to contact the group using information posted on the website was unsuccessful.
The group is one of a number of what appears to be Iranian-based hacking groups.
Amitai Ben Shushan Eherlich, a threat intelligence researcher at cybersecurity firm Sentinel One, said Black Shadow was “one of several” blackmail aliases used by a group the company is called “Agrius”, which carried out a series of partly elaborate attacks against mainly Israeli targets starting in 2020.
Microsoft’s Threat Intelligence Center on November 16 published research Investigating “a gradual evolution” of malicious Iranian hacking activity. Such hackers, including the Black Shadow group, are increasingly using ransomware to either raise funds or disrupt targets, Microsoft analysts noted, while showing more patience and persistence.
Microsoft research concluded that Iranian hackers are becoming “more competent threat actors” who can carry out attacks in different ways and for different purposes.
In September, another group called “Moses Staff” emerged using similar tactics such as: according to the Israeli company Check Point. The messages from this group were explicitly political and did not have a ransom demand. Moses Staff had some similarities with Black Shadow, Check Point said, and another group called Pay2Key.
“It’s all the same,” said Omri Segev Moyal, the CEO and co-founder of the Israeli security company Profero.
The way Black Shadow woos media attention and selects its targets makes it an intelligence rather than a military operation, Moyal added.
The group, like other named hacking groups believed to be associated with nation-states, gives governments a plausible deniability. “Cyber attribution is difficult, but in this case it looks like it [Iran]”Said Moyal.
The Department of Homeland Security Agency’s Cybersecurity and Infrastructure Security Agency – along with the FBI and top agencies in the UK and Australia – warned on November 17th an Iranian government-sponsored hacking group that is exploiting known vulnerabilities in targets around the world, including the US and Australia.
The hack-and-leak aspect of the group’s activities can be devastating, Sigal said. The LGBTQ data may have outed people against their will and also includes data on the HIV status of some users. The context of the activity, he said, “is the context of the war”. While in the past Iran-backed organizations have carried out physical attacks on Israeli targets, such as bombing a bus, this type of black shadow attack targets civilians in a different way.
The US government has also accused Iran of targeting US citizens directly.
The Justice Department on November 18 unsealed the charges against two Iranians accused of stealing private US voter registration data and attacking some voters with e-mails containing threats of violence when recipients did not vote for Donald Trump. The emails, allegedly from the Proud Boys, a violent right-wing nationalist organization, were a relatively straightforward part of a rambling plan to meddle in the 2020 US election, prosecutors said.
Similarly, the Black Shadow activities appear immature to some experts. On their own, they are not as demanding or complex as other government-supported groups, even Iranian ones, Moyal said. From a technical point of view, the group’s capabilities are “super weak,” he said. “They are not intelligent at all,” typically search for known vulnerabilities in technologies from commercial companies like Fortinet and Microsoft.
Ari Eitan, vice president of research at cybersecurity company Intezer, confirmed that the methods are not mature. “Despite the fact that it looks like they’re doing a lot of damage, I like to think that they’re basically script kiddies with good PR,” he said.