'Black Shadow' hackers leak data from Israeli LGBT app

Black Shadow is responsible for previous attacks on Israeli vehicle insurance company Shirbit.

Cyber Hackers (photo credit: REUTERS)
Cyber Hackers
(photo credit: REUTERS)

The hacker group "Black Shadow" has leaked data from various Israeli companies, such as LGBTQ dating app "Atraf", Dan bus company and tour booking company Pegasus on Saturday night.

Earlier in the day, they leaked data from the Kavim bus app after previous threats. “They did not contact us ...So first data is here,” the group said on Telegram, affixing a photo of what appeared to be a database of Israeli citizens' personal information. “If you do not contact us, (sic) it will be more,” added the group.

Kavim released a statement on Saturday afternoon, explaining that they were aware of the security incident. “As soon as the incident became known to us, the company contacted the Transport Ministry, the Cyber Security Headquarters, and also hired external professionals in the field...to complete a comprehensive, professional and independent investigation into the incident.”

They also apologized to their users for the disclosure of their personal information and said they would work to prevent such incidents from reoccuring.

Illustrative photo of a cyberattack.  (credit: Wikimedia Commons)Illustrative photo of a cyberattack. (credit: Wikimedia Commons)

On Friday, the group announced that they had hacked into the servers of the Israeli Internet company Cyberserve, promptly turning them off and threatening to leak data.

Cyberserve is a web hosting company, meaning it provides servers and data storage for other companies across industries. The data seized by the Iranian hackers covers a wide variety of businesses: from travel bookings company Pegasus to the Dan bus company and even the Israeli Children’s Museum.

Among other things, Cyberserve is responsible for the development of “Atraf,” an LGBTQ dating site, that has been down since early Saturday; raising concerns that hackers may have access to sensitive information that could lead to sensitive information of site users being made public.

“Hello again! We have news for you,” the group said in a Telegram message. “You probably could not connect to many sites today. Cyberserve and their customers were harmed by us,” adding another ominous threat: “You must be asking – what about the data? As always, we have a lot. If you do not want it to be leaked by us, contact us soon.”

The Black Shadow hackers have yet to leak the troves of data they claim to have, though the websites breached have been offline since the attack was announced, as the hackers turned off the Cyberserve servers, thus disabling their clients’ websites.

Responsible for previous attacks on Israeli vehicle insurance company Shirbit and finance company KLS, the group demanded bitcoins as ransom and shut down the servers when Cyberserve failed to deliver payment. Its December 2020 attack of Shirbit was the largest cyberattack against an Israeli company at the time; Black Shadow had requested 50 Bitcoins (nearly $1 million at the time) as ransom.

A 2020 survey showed that Israeli companies paid out over $1 billion to hackers as ransom in 2020, with the 2021 figure expected to increase.

In previous attacks by Black Shadow, the companies affected claimed that the group was Iranian. Last year’s attack on Shirbit led to the publication of Israeli customers’ private files, including marriage certificates, financial documents, identity card scans and medical documents. The hackers also threatened to sell the data to intelligence agencies if payment was not met.

Cybersecurity consultant Einat Meyron stated in response to the most recent Black Shadow account that "the identity of the attacking group is a little less important."

"On the part of the attacked companies - for insurance and reputation reasons it is clear that they will want to attribute the attack to Iran. In practice, there is no need to make it easier for attackers by refraining from exercising basic defenses," added Meyron.

The cybersecurity consultant additionally stressed that "it is necessary to prove beyond any doubt that this is an Iranian group and it is neither trivial nor significant because of the effect of the slander and because an Iranian attribution does not necessarily indicate it was an 'Iranian mission.'"

Meyron further explained that it is unlikely that a group working for the Iranian regime would "waste energy" on records from random sites, but rather would aim to cause significant damage to crucial infrastructure.

In December, in response to the Shirbit cyberattack, Zohar Pinhasi, CEO of cyber security service MonsterCloud, told The Jerusalem Post that the claims that Black Shadow wanted to strategically harm Israel and is not looking for money were “nonsense.”

“This claim is repeated in every sector that is attacked and in every country. The hack is almost always first and foremost a ransom attack and on a financial basis. This is also the case in the Shirbit attack,” said Pinhasi, who is also a former IT security intelligence officer in the IDF, at the time. “The Pandora’s box has opened and now the company is trying to downplay the severity of the hack and frame it as a matter of ‘national security’ to prevent damage to their reputation and come out as alright with the regulator and customers,” he said.

Among their constant conflicts and clashes, Israel and Iran have traded blows in the cybersecurity space. Black Shadow’s attack comes just three days after Iranian gas stations were hit by a cyberattack that crippled gas pumps. Israel reportedly hacked Iran’s Shahid Rajaee Port in May 2020 as a counter strike for an attempted Iranian cyber strike on Israel’s water supply system the previous month.

It remains unclear if Cyberserve plans to pay Black Shadow’s desired ransom or how the hacker group plans to publicly leak the data.

Tzvi Joffre, Maariv Online and Jerusalem Post Staff contributed to this report.