Black shadow hits cyberserve and LGBTQ+ dating app client

Cyberserve, an Israeli web hosting company, has been hit with a cyber attack by Black Shadow, an Iranian threat group, taking down the sites and exposing sensitive data of a wide variety of its client companies, including the PIIs of around a million users of a Atraf, a LGBTQ+ dating app, including names and geo-location.  

The latest attack was announced by Black Shadow on Friday, the group claiming it had managed to damage the Cyberserve’s servers, compromising both its and the companies across industries that use their servers and their data storage.  

On Sunday, Black Shadow demanded a ransom of 1 million dollars within 48 hours, or the group would begin to sell and leak more of the sensitive information they exfiltrated from the dating app’s database. The group claims that since neither Cyberserve or Israeli government have contacted them regarding their ransom demand regarding Atraf, “it is obvious this is not an important problem for them”, and are therefore demanding the public fit the bill instead. 

“We know everybody is concerned about ‘Atraf’ database. As you know we are looking for money,” the threat group said on their Telegram messaging app channel. The threat group claims that if they receive the ransom amount, they wouldn’t leak the information of about one million people it had collected from Atraf. The hackers claim they have only leaked 1 percent of the total exfiltrated data so far. 

Other companies affected by the breach include public transportation companies Kavim and Dan, a tour booking company called Pegasus and the Israeli Children’s Museum, although the threat group hasn’t made any promises similar to the one to Atraf on this other collected data. 

On Saturday, Black Shadow leaked data acquired from Kavim, including PIIs like customer names and email addresses. The bus company issued a statement confirming the company was aware of the breach and had alerted the Israeli Transport Ministry and National Cyber Directorate. They also said they had “hired external professionals in the field to complete a comprehensive, professional and independent investigation into the incident”. 

What should victims do? 

Both Aguda, the Association for LGBTQ Equality in Israel, and the Israel Internet Association have jointly advised victims of this latest cyberattack to: 

• Change their account usernames and passwords 
• Make sure to use strong passwords.  
• Victims contact the police if confronted with ransom demands or blackmail from threat actors. 
• If their information has been posted on social media, notify the social media platform to deal with it.  

Both Aguda and the Israel Internet Association also stated that “The natural human tendency may succumb to the demands of the attackers, but past experience shows that there is no guarantee that the personal content will be removed. Moreover, it is an opening that may lead to additional ransom demands”. 

Moreover on the ransom demands, Yoram Hacohen, director-general of the Israel Internet Association, said on Sunday that “Under no circumstances should you submit to the demands of the attackers”, saying “There is no guarantee that if the amount is paid the information will not be published and more importantly such a surrender will lead to further and increased attacks due to what is perceived by them as an achievement”. 

He went on to say that “if private surfers receive messages with demands for payment of ransom they must immediately report it to the police and not take any action beyond that”.  

He also stated that “What needs to be done now is to refine online safety and privacy regulations and provide all the support, physically and mentally, to those about whom information has been revealed”. 

For further support, those affected in the LGBTQ+ community can contact a hotline set up by the Aguda. The hotline operates Sunday to Thursday, between 5pm and 7pm as well as 7.30pm. and 10.30pm, at *2982 and also on WhatsApp at 058-620-5591. 

The Black Shadow threat group 

Yigal Unna, the head of the National Cyber Directorate, told Army Radio on Sunday that Black Shadow appears to be a criminal group with an “anti-Israeli scent”. 

Black Shadow is a threat group that was responsible for attacks on Shirbit, an Israeli vehicle insurance company, and KLS, an Israeli finance company, previously. While these companies claimed that Black Shadow are an Iranian threat group, a number of cybersecurity experts rejected the attribution of origin.  

At the time of the Shirbit cyberattack, Zohar Pinhasi, a CEO at MonsterCloud, a cyber security service and former IT security intelligence officers at the Israel Defence Forces (IDF), called claims that Black Shadow’s primarily goal was to strategically hurt Israel instead of financial gains was “nonsense” when speaking to The Jerusalem Post. 

Pinhasi further elaborated that “Pandora’s box has opened and now the company is trying to downplay the severity of the hack and frame it as a matter of ‘national security’ to prevent damage to their reputation and come out as alright with the regulator and customers”. 

Meanwhile, regarding this most recent attack by Black Shadow, Einat Meyron, a Cybersecurity consultant for cyber resilience, stated “the identity of the attacking group is a little less important”, saying companies wanted to attribute the attack to Iran for “insurance and reputation reasons” and also emphasised that in practice “there is no need to make it easier for attackers by refraining from exercising basic defenses”. 

Meyron further said that, while “it is necessary to prove beyond any doubt that this is an Iranian group”, that even “an Iranian attribution does not necessarily indicate it was an ‘Iranian mission.’”, considering it unlikely a nation-state actor for Iran would “waste energy” on data from random sites rather than attack critical infrastructure. 

Reportedly, Israeli National Cyber Directorate said it had previously “warned Cyberserve multiple times” it was vulnerable to the type of attack that was deployed by Black Shadow.