Cyber Incident Victim: Shirbit Insurance Company Ltd.
Date:
Nov 2020
Location:
Israel
Summary
A cybercrime group named BlackShadow breached an Israeli insurance firm, exfiltrating sensitive data including documents, email archives, scanned files, passport images, and audio recordings. The attackers leaked portions of the stolen data via Telegram and demanded 50 bitcoins (approximately $1 million) to cease further disclosures, threatening incremental leaks every 24 hours without payment. Security researchers assessed the ransom demand as a potential publicity stunt, expressing skepticism that payment would halt data dissemination. The incident occurred amid heightened cyber tensions in the region, with prior Iranian-linked threat activity targeting Israeli entities using ransomware-as-a-service tools like Thanos, though no direct attribution was confirmed for this attack.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On November 30, 2020, the BlackShadow hacking group publicly claimed responsibility for a cyberattack against Israeli insurance company Shirbit via a Twitter announcement. The group stated they had compromised Shirbit’s network infrastructure and exfiltrated sensitive data. Following the initial breach disclosure, BlackShadow established a dedicated Telegram channel to systematically leak stolen company files, including internal documents, email PST archives, scanned records, audio files, and passport images. The leaks occurred incrementally over several days, escalating pressure on the victim organization. On December 3, BlackShadow issued a formal ransom demand, giving Shirbit 24 hours to pay 50 bitcoins (approximately $1 million at the time) to halt further data disclosures. The threat actors warned they would continue leaking batches of data every 24 hours if the payment was not made to Bitcoin wallet address 13YiK3qHxTdGcD6nfCf7vWXFgWXnbpJvy2. As of December 4, blockchain records showed no transactions to the specified address.
Israeli cybersecurity firm Profero assessed the ransom demand as a probable publicity stunt, asserting the attackers were unlikely to cease data leaks even if paid. While no direct attribution was confirmed, the incident occurred amid heightened cyber tensions between Israel and Iran. A separate October 2020 report by Profero and ClearSky Cyber Security had documented Iranian threat actor MuddyWater—linked to the Islamic Revolutionary Guard Corps—planning destructive attacks against Israeli targets in September using phishing or CVE-2020-0688 exploits to deploy malicious payloads disguised as Google Updaters. These payloads included Thanos ransomware, distributed via a ransomware-as-a-service model where developers took 30% of ransom payments. Israeli defenses successfully thwarted MuddyWater’s September operations, though cybersecurity firms anticipated follow-up attacks. The Shirbit breach demonstrated continued adversarial activity against Israeli entities, with BlackShadow’s campaign combining data theft, extortion, and public shaming tactics.