Is Iran behind the Black Shadow attacks and does it matter?

The latest attack was announced by the group last Friday, with Black Shadow claiming it had damaged Cyberserve’s servers.

A hacker is being depicted in this illustrative photo  (photo credit: Courtesy)
A hacker is being depicted in this illustrative photo
(photo credit: Courtesy)

As the Black Shadow hacker group announced its latest attack in recent days, the company involved was quick to point the finger at Iran, as other victims of the group had done in past attacks, but is Iran really the culprit in this case?

“Black Shadow is pure and simple financial attacks,” said Zohar Pinhasi, the CEO of the cybersecurity firm Monstercloud CEO to The Jerusalem Post. “Anybody can come up with a claim saying that this group came from this country, that group came from another country. It takes years of investigation [to locate these groups] and in some cases it is impossible.”

Pinhasi pointed to the case of an extremely active hacker group called SamSam which was eventually found to be run by Iran-based hackers after operating for a number of years, stressing that it took years for authorities to track down the cybercriminals, and even then it was only able to track them down after the hackers made a mistake and left a lead.

“They can say this country or another, but no one really knows where they are,” added Pinhasi about the Black Shadow attacks. “It is really rare that you find an event by INTERPOL or the FBI that they do a massive takedown, not just in the digital world but in the physical world, to the point where they are actually arresting people. It is very hard to locate those individuals.”

Einat Meyron, a cybersecurity consultant, expressed agreement that it was unlikely that the group’s identity was known yet, stating that “first off, in this kind of attack, the identity of the attacking group is less important,” adding that the targeted companies find it important to attribute these attacks to Iran for “insurance and reputation reasons.”

“In practice, whether it is Iranians or Swiss people, there is no need to make it easier for the attackers by refraining from exercising basic defenses and acting with the mindset that it will not happen or that in the worst case the state will help.”


Meyron stressed that even if the hackers live in Iran, it is “necessary to prove beyond any doubt that this is a group that operates on an Iranian mission and is not just associated with the country. This proof in itself is not trivial because of the spoofing effect well-known in the world of intelligence and usually identified with Russia.”

The cybersecurity consultant added that it is unlikely a group working for the Iranian regime would “waste energy” on records from random sites and would instead aim to cause significant infrastructure damage, even if it was more complex and took longer.

“On the other hand,” said Meyron, “we must not forget that there is always the possibility that the Black Shadow activity is a smokescreen for much higher quality and much deeper activity, whether as a deliberate proxy or as a spoofing proxy of other attack groups.”

Black Shadow’s most recent attack targeted the web hosting company Cyberserve, leaking data from the gay dating app Atraf, the Dan bus company, 103FM radio, the Trip Guaranty travel insurance company, and the Mor Institute for medical data, among others.

The leaked data includes flight details, addresses, emails, phone numbers, HIV status and birth dates, among other personal details.

The latest attack was announced by the group last Friday, with Black Shadow claiming it had damaged Cyberserve’s servers.

Black Shadow is responsible for previous attacks against Israeli companies, such as vehicle insurance company Shirbit and finance company KLS. In those attacks, the companies affected claimed that the group was Iranian, despite cybersecurity experts rejecting the claims.

The latest Black Shadow attacks came not long after the Moses Staff hacker group appeared for the first time, as it leaked photos and documents from an alleged cyberattack on the Defense Ministry.

Since first appearing, Moses Staff has claimed that it has successfully conducted a cyberattack on three Israeli engineering companies and the offices of tax processing companies. The data leaked include projects, ID cards, tax documents, maps, contracts, pictures, letters and videoconferencing images.

Unlike Black Shadow, Moses Staff has not made any demands for money or anything else.

Moses Staff’s website claims that the group has hacked over 165 servers and 254 websites and compiled over 11 terabytes of data, including Israel Post, the Defense Ministry, files related to Defense Minister Benny Gantz, the Electron Csillag Company and Epsilor.

Concerning whether the Moses Staff hackers are actually a new group, Pinhasi stated that hacker groups often wear multiple hats, meaning that the group may be older than it seems, but may have used a different name in the past.

Pinhasi added, however, that it is still too early to know if Moses Staff or Black Shadow are just different names for another group, and that Monstercloud is collecting cyber intelligence around the attacks in order to protect its customers.

The Monstercloud CEO pointed to how ransomware attacks have changed, saying that while in the past, victims of these attacks would either pay or not pay and that would be the end of it, in recent years, hackers have started conducting so-called doxware attacks, threatening to leak data if they are not paid.

“With that said, paying the ransom, or paying at all, against doxware, does not guarantee anything,” stressed Pinhasi. “Because we have had cases where the victim paid and his data was exposed regardless.”

Cyber Hackers (credit: REUTERS)Cyber Hackers (credit: REUTERS)

Pinhasi added however that theory is theory and reality is reality. “Think about it this way. If you have a company with 50 employees, you have worked since the age of 25, you built a company, you invested your blood, sweat and tears in that company. One day you wake up in the morning, nothing. You can’t even gain access physically to the office because your fobs are not working. Now tell me, the person on the other side wants $100,000. Would you close the company and say ‘ah, everyone says don’t pay I’m just going to drop everything?’ There’s reality involved in this kind of situation.”

Pinhasi added that cyberattacks happen in Israel on a daily basis, but just are not publicized because “no company wants to expose themselves.”

“In Israel, there were multiple attacks against major companies in the public sector along with government agencies that were attacked in successful attacks that you have not heard on the news,” said Pinhasi. “If you had a company with 100 employees, would you go out in public and say ‘we got hacked and all the information of our customers is currently at risk’? You don’t want to do that.”

Pinhasi stated that, at the end of the day, the responsibility for attacks lies on companies themselves, not the government. “If the local IT guy or the company which services the customer that got attacked are not doing their job and they are leaving everything exposed or they’re not monitoring the network from a security standpoint, the government has a limit to what it can do. At the end of the day, security falls on the company.”

The Monstercloud CEO stated that most attacks occur due to human errors by companies and their IT staff, who often think that while vulnerabilities exist, attacks they hear about in the news will not happen to them. “There are other things that can cause this type of attack, but most of the attacks that we see are caused by lack of knowledge from the IT person, lack of knowledge from the IT company, on how to maintain proper security. That is what those criminals are riding on.”

“Don’t just invest in sophisticated hardware and software,” advised Pinhasi. “You need to invest in people, in the IT guy, send him to some courses that can enrich his knowledge in security. In the past, you could just hire an IT guy. Today he needs to have some kind of security background.”

Meyron added that Black Shadow’s method of operation provided a great opportunity for everyone to learn a little more about how cyberattacks work, knowledge which was not so widespread up until recent years.

“The ability to create an agenda through sarcastic messages that create in us a need for an almost Pavlovian response that provides the attitude they expect and even more so at a time convenient to them, but less convenient for Israeli citizens, [such as] weekends, holidays [or] late-night hours, is one of the pressuring tactics that hackers routinely apply and in this case are exposed to us in a completely transparent way,” said Meyron.