Several Israeli companies were served ransom notes on Saturday night by a hacker group called Black Shadow. This included the LGBTQ dating app "Atraf", the Kavim bus company, the Pegasus tour booking company, and the Israeli Children’s Museum, and some of these had the first data leaked. On Friday, the group announced they hacked into the Cyberserve Israeli Internet company, turned off their servers, and threatened to leak the stolen data. Right now, there are no clear terms of ransom payment from Cyberserve.
The group started with leaking data from the bus app Kavim after the app owners failed to provide the ransom and threatened to leak more. The first data was exposed on Telegram in the form of a photo of what appeared to be a database containing personal information such as names, email addresses, and phone numbers of Kavim Israeli clients.
Later that day, the actors took Telegram again to announce they held data belonging to another platform developed by Cyberserve, the LGBTQ dating service Atraf. The hackers said they would leak the info if the ransom was not paid within 48 hours. The data trove supposedly had private details of some one million people, including chat content, event ticket and purchasing information, and others. Of course, this was worrisome considering no LGBTQ users would want their sensitive data exposed.
“If we have $1 million in our wallet in the next 48 hours, we will not leak this information and also we will not sell it to anybody. This is the best thing we can do,” said the Black Shadow group on a now-removed Telegram channel. “Atraf’s team did not contact us for any deals yet so we collected 50 famous Israeli [...] and we leak their videos [...],” they further wrote, and they demanded $500 for access to the data.
Some Atraf user names and their locations have already been posted online, as well as the HIV status that some users had on their profiles. “The thought that a person’s HIV positive status can be revealed not by their choice worries us very much,” declared the Israel AIDS task force.
The CEO of the Association for LGBTQ Equality in Israel told AFP his organization extended its emergency hotline hours to deal with a wave of worried callers and is working with various groups to reduce the damage. "They are exposed, and if they are in the closet, they are exposed to situations they never knew before," he said. A spokeswoman for the government-funded Israel National Cyber Directorate said her office warned Cyberserve "several times" it was vulnerable to attack.
Black Shadow is also responsible for hacking into other companies like Shirbit and KLS. At the time in December 2020, the Shirbit attack was the largest in the history of Israeli companies, compromising the company’s Israeli customers’ private files, including marriage certificates, financial documents, identity card scans, and medical documents.
According to some affected companies, the group is part of the Iranian actors scene. This places it in the midst of a persistent conflict between Israel and Iran that has occurred in cybersecurity, with Black Shadow’s hack occurring only three days after Iranian gas stations had their gas pumps stop working from a cyberattack. According to reports, Israel hacked Iran’s Shahid Rajaee Port in May 2020 to retaliate against Iran for its supposed attempt to break into Israel’s water supply system the month before.