Cyber Incident Victim: Habana Labs
Date:
Dec 2020
Location:
Israel
Summary
Habana Labs, an Intel-owned AI processor developer, suffered a cyberattack by the Pay2Key ransomware group, resulting in stolen data including Windows domain accounts, DNS zone information, Gerrit development system file listings, business documents, and source code images. The attackers issued a 72-hour ultimatum to halt data leaks, with cybersecurity firms attributing the operation to Iranian threat actors based on ransom payment tracing to Iranian Bitcoin exchanges. This incident aligns with a broader campaign targeting Israeli businesses, as evidenced by overlapping indicators of compromise with attacks on other companies like Amital, though the primary motive appeared disruptive rather than financial.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On December 13, 2020, the Pay2Key ransomware operation publicly leaked data stolen from Habana Labs, an Intel-owned Israeli developer of AI processors acquired by Intel in December 2019 for approximately $2 billion. The attackers compromised Habana Labs' systems, exfiltrating sensitive information including Windows domain account credentials, DNS zone configuration data for the company's domain, and file listings from its Gerrit development code review platform. Pay2Key operators additionally leaked business documents and source code images on their data leak site, accompanied by a threat giving Habana Labs "72hrs to stop leaking process." While the exact ransom demands remained undisclosed, cybersecurity analysts noted the attack's timing and targeting aligned with a broader campaign against Israeli entities rather than purely financial motives.
The incident occurred amid a surge of Pay2Key ransomware attacks against Israeli organizations throughout November 2020, as documented by cybersecurity firms Check Point and Profero. Profero attributed Pay2Key to Iranian threat actors after tracing ransom payments to Iranian Bitcoin exchanges. Concurrently, Israeli media reported a separate supply chain attack involving the compromise of shipping software provider Amital, which led to breaches at forty client organizations. Investigators from Profero and Security Joes linked technical indicators from the Amital and Habana Labs incidents to prior Pay2Key operations. Profero CEO Omri Moyal issued warnings to Israeli companies about expected escalation in Iranian cyber operations, urging enhanced network defenses. Habana Labs did not publicly respond to inquiries about containment measures or operational impacts. The leak of domain credentials and development infrastructure data posed significant risks to Habana Labs' intellectual property and internal security posture, though specific business disruptions were not quantified. Separately, another Iranian-linked group named BlackShadow executed a similar data theft and extortion attack against Israeli insurer Shirbit during the same period, though no confirmed connection to Pay2Key's activities was established.