Black Shadow, the hackers who leaked thousands of documents containing the personal information of customers with Israel’s Shirbit insurance company in December, have now hacked the servers of K.L.S. Capital Ltd. as well, the group said in a Telegram post on Saturday.On Saturday morning, the hacker group announced, “We are here to inform you a (sic) cyber attack against K.L.S CAPITAL LTD which is in Israel.“Their servers are destroyed, and their client data is in our hands,” they added, saying that they waited 72 hours for the company to give them the 10 bitcoins they demanded as ransom for the information, but the company failed to pay them.
“We want to leak some part of their data gradually,” they said. “Part of our negotiation will be published later.”A few hours before making the announcement, the group released purposely blurred photographs of the identification cards of two people who work with the company. A few minutes after the announcement, they released a few more documents and have since released dozens of additional documents including identity cards, letters, invoices, images, scanned checks, database information and more, including the personal information of the CEO of the company.K.L.S. is a car financing company that has been around for over 17 years, employing some 20 people and with over 26,000 existing customers whose personal information could potentially be released due to the hack.Later in the afternoon, Black Shadow released screenshots allegedly of their email conversations with the company, in which they demanded $10,000 in bitcoin within six hours as a way of having “good” negotiations and establishing trust, warning that they would release more data if they aren’t paid.An email from the company to the hackers allegedly read: “My manager has an idea. Please confirm that Muhammad is NOT the prophet. If u r (sic) for money or not Muslim or not an Iranian proxy .. it is an easy task.”The hacker group responded that they “just know MONEY!” and complained that the company was “wasting” their time. The Privacy Protection Authority announced on Sunday that it was examining the details of the incident and its consequences in cooperation with all relevant parties. The authority may not approve the reactivation of K.L.S.'s systems until any concerns of further data leaks are removed. The authority may also require the company to personally update customers who may have been harmed or are likely to be harmed by the leak. “We’re sadly not so ok. We took a heavy blow from Iranian hackers who apparently are seeking to attack the State of Israel and they care less about the money,” said K.L.S CEO , Omer Maman, to The Jerusalem Post.“Sadly they caused us a lot of damage, but it’s not something that we won’t know how to handle on the systems level and we’ll set up new systems soon that are more secure and, I hope, more protected, even though it’s difficult to handle such large budgets of such Iranian attackers.”The CEO added that he is trying to contact every affected customer personally and to provide answers.During Black Shadow’s last cyberattack, Shirbit also stated that the hackers had targeted them for nationalistic reasons, while the hackers themselves only stated that the attack was being conducted for ransom and some cybersecurity experts stated that the attack did not seem like cyberterrorism. In December, in response to the Shirbit attack, Zohar Pinhasi, CEO of the ransomware removal and cyber security service MonsterCloud, told the Post that the claims that Black Shadow wanted to strategically harm Israel and is not looking for money were “nonsense.”Also in December, the K.L.S. company reportedly received a warning that they had been breached and that their information may have leaked in a breach in a VPN service provided by Fortinet and Pulse that affected a number of companies, according to cybersecurity consultant Einat Meyron. A number of warnings about the VPN service have been published in the past two years."It's hard to come up with complaints to the Black Shadow group," said Meyron in regards to the cyberattack against K.L.S. "If companies hold sensitive customer information, without any means of protection and control, they'll pick up what's on the floor for them. It's that simple and sometimes it is what it is."
"The question arises why after the verification phase, companies continue to store the information in general and in such a negligent manner in particular. Is there no way to encrypt the folder? At least protect it with another password?" added Meyron.
The cybersecurity consultant additionally questioned what protective systems were protecting K.L.S.'s systems against breaches and if and how hackers were able to get as deep as they did into databases that are supposed to be classified and protected according to guidelines set by Israel's Privacy Protection Authority.
"Another question: are companies in the economy at all aware of the Privacy Protection Authority's requirements? Are they controlled by it?" asked Meyron. "Cyber attacks will happen and also succeed. It would be charlatanic to say otherwise, but early thinking and analyzing the unique risk aspects of cyberattacks that may materialize requires early thinking on how to avoid such unnecessary exposure and tailoring specific solutions to reduce risk realization."
A series of cyberattacks were reported in recent months in Israel, including attacks targeting the Shirbit insurance company, the Amital software company, Ben-Gurion University of the Negev and Israel Aerospace Industries, with the full extent of the damage unclear in at least some of the cases.
In the Shirbit attack, thousands of documents containing personal information were leaked to the public by Black Shadow. The group also threatened to sell collections of data they said they stole from Shirbit to competitors and foreign governments. The National Cyber Directorate and Capital Market Authority worked with Shirbit in an attempt to solve the issue.
Despite the public leaks of thousands of documents, Shirbit insisted that only a “relatively small” number of documents were leaked and that the decision not to pay the ransom the hackers demanded was not from "financial considerations, but rather for the good of the customers," according to Israeli media. The company has many government employees among its clients.