Cyber Incident Victim: BlackShadow
Date:
Oct 2021
Location:
Israel
Summary
The BlackShadow hacking group breached an Israeli hosting provider, stealing client databases and disrupting services for numerous organizations, including radio stations, museums, and educational institutions. The attackers demanded $1 million in cryptocurrency to prevent data leaks, released a sample of 1,000 records, and specifically exposed sensitive information from an LGBT platform, endangering individuals in conservative communities. Additional affected entities included a public transportation firm, broadcaster, travel agency, and children's museum. The Iranian state-sponsored group, previously linked to attacks on an Israeli insurance company, is believed to conduct retaliatory operations rather than financially motivated extortion. Cybersecurity authorities had issued prior warnings to the hosting firm about imminent attacks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On October 29, 2021, the BlackShadow hacking group breached Israeli web hosting and development firm Cyberserve, disrupting services and stealing sensitive client databases. By Friday, October 29, visitors attempting to access Cyberserve-hosted websites encountered errors or messages attributing outages to a cybersecurity incident. BlackShadow claimed responsibility and issued a $1 million cryptocurrency extortion demand to Cyberserve and its customers, threatening to leak stolen data unless paid within 48 hours starting Saturday, October 30. The group leaked a sample of 1,000 records shortly after the ultimatum to demonstrate credibility. Among the compromised data was a database from 'Atraf,' a prominent LGBT website, exposing personal information of users in conservative societies and creating significant physical and psychological risks. BlackShadow escalated pressure by leaking videos of 50 Israeli individuals from Atraf’s user base after claiming the site’s operators had not engaged in negotiations. Multiple Cyberserve-hosted websites remained inaccessible days after the attack, including Atraf, Kavim (Dan Bus) public transportation services, Kan public broadcaster, Pegasus travel agency, and the Holon Children’s Museum, indicating prolonged operational disruption.
The National Cyber Directorate confirmed it had issued multiple warnings to Cyberserve about an imminent cyberattack in the days preceding the breach, though it remained unclear whether the company ignored these alerts or failed to identify the exploited vulnerability. BlackShadow, an Iranian state-sponsored group linked to the Pay2Key ransomware strain, has historically targeted Israeli entities, including a 2020 extortion attack against insurance firm Shirbit. Unlike conventional ransomware operations, BlackShadow’s activities are assessed as retaliatory acts within the Iran-Israel geopolitical conflict rather than financially motivated campaigns. Profero CEO Omri Segev Moyal characterized the incident as part of a cyclical "clandestine war," suggesting it may have been retaliation for an alleged Israeli cyberattack on Iranian gas infrastructure the prior week. Cyberserve’s ongoing service outages and BlackShadow’s selective data leaks underscored the incident’s operational and reputational impacts, particularly for Atraf’s at-risk user base, while highlighting systemic vulnerabilities in critical service providers.