Cyber Incident Victim: Cyberserve
Date:
Oct 2021
Location:
Israel
Summary
BlackShadow, an Iranian state-sponsored hacking group, breached an Israeli hosting provider, compromising client databases and disrupting services for numerous organizations including radio stations, museums, and educational institutions. The attackers extorted the company and its customers, demanding $1 million in cryptocurrency and leaking a sample of 1,000 records, which included sensitive personal data from an LGBT platform exposing individuals to potential harm. The incident, linked to retaliatory motives in the ongoing Iran-Israel cyber conflict, caused prolonged website outages and followed prior warnings to the hosting firm about imminent attacks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 3 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On October 29, 2021, the Israeli web hosting and development company Cyberserve suffered a disruptive cyberattack attributed to the BlackShadow hacking group. The incident began with widespread service disruptions affecting numerous client websites, including local radio stations, museums, educational institutions, and public-facing organizations. Visitors attempting to access Cyberserve-hosted sites encountered errors or messages indicating a cybersecurity incident. BlackShadow publicly claimed responsibility for the breach and issued extortion demands, threatening to leak stolen data unless Cyberserve and its customers paid $1 million in cryptocurrency within 48 hours. The group leaked a sample of 1,000 records shortly after the announcement to substantiate their claims. Among the compromised data was a database from 'Atraf,' a prominent LGBT website, raising significant safety concerns for individuals in conservative communities due to risks of physical and psychological harm. BlackShadow further escalated threats via Telegram, leaking videos of 50 Israeli users after claiming Atraf’s operators had not engaged in negotiations.
The attack impacted critical infrastructure and services, including the Kavim (Dan Bus) public transportation firm, the Kan public broadcaster, the Pegasus travel agency, and the Holon Children’s Museum, many of whose websites remained inaccessible days later. Israel’s National Cyber Directorate confirmed it had issued multiple warnings to Cyberserve about an imminent cyberattack in the days preceding the incident, though it remained unclear whether the company ignored these alerts or failed to identify the exploited vulnerability. BlackShadow, identified as an Iranian state-sponsored group with ties to the Pay2Key ransomware, historically targeted Israeli entities, including a 2020 extortion campaign against Shirbit Insurance. Cybersecurity analysts characterized the attack as retaliatory, linking it to geopolitical tensions following an earlier incident targeting Iranian gas infrastructure. Cyberserve’s response efforts focused on restoring services, with no public confirmation of whether extortion demands were met. The data breach and prolonged outages underscored operational vulnerabilities and the heightened risks to marginalized communities from politically motivated cyber operations.