What is the story?
The Israeli insurance company Shirbit is still in the midst of a severe and rare cyber attack. We learned about this on December 1 from an official statement revealing a “Shribit data breach” event issued jointly by the Israeli National Cyber Directorate and the Ministry of Finance’s capital market, insurance and savings authority. insurance companies The mere fact that such a joint statement was issued is very unusual in itself.
Why is this important?
The hackers managed to break into Shirbit’s computer network and steal large amounts of data – hundreds of megabytes, if not many, many more – from the company’s servers. They have resorted to employee payroll, customer claims – including insurance appraisers’ reports and hospital records, for example – as well as a number of customer ID cards.
Since then, attackers have gradually leaked more and more information to the Internet, a technique known as “throwing data” or just throwing. Each such landfill exposes more personal information and makes the challenge of limiting violations much more difficult. Landfills should also increase the pressure on payment victims.
Just two days after the attack, hackers sent a ransom message asking for 50 bitcoins – just a shy $ 1 million – in return for stopping the leaking of stolen information online. The hackers said they would double the ransom if it was not paid on time, and then double it again in another 24 hours.
Israeli government bodies are also involved in preventing the incident as Shirbit insures many civil servants, and detailed personal information about the judge has already surfaced online.
On Saturday morning, after the second deadline expired, the attackers announced another landfill, which included credit card numbers, including their expiration dates – but not the three-digit “card confirmation value” number on the back. “We are doing what we said,” the hackers wrote on their Telegram channel, which along with their Twitter account emerged as the main means of communication. They continued to threaten, writing: “Shirbit… END!” They also said they still had dozens of terabytes of Shirbit files.
How did they do it?
Short answer: We do not know yet. But research by Israeli cyber-intelligence firm Clear Sky Cyber Security shows that Shirbit protection systems are inadequate (Read the full report here) For example, the company uses a remote VPN access called Pulse, which proved to have major vulnerabilities last year that allowed attackers to gain access to the network.
A VPN or virtual private network allows users to establish secure Internet connections and access websites that may be blocked. In the past, they were used primarily to circumvent the limitations of the Internet, but during the coronavirus they emerged as a key remote solution, allowing workers to access the systems of a closed company from home. However, this also left many companies exposed.
All Shirbit had to do was download and install the Pulse VPN security hole patch. According to Clear Sky, Shirbit did not update the software. Clear Sky has uncovered other major problems with the insurance company’s networks, each of which it said could have been a gateway for hackers – but so far this is still speculation.
What do hackers want?
All the experts, including those who were actually involved in dealing with the incident and who saw all the materials and details, say that at this stage all the signs show that the hackers really do not want money. They appear to be the group that launched the campaign for ideological and anti-Israeli reasons – and then revealed that they had hit the jackpot.
The ransom group has not been identified in previous attacks. Usually, the way the group works or even the techniques they deploy can be used to attribute attacks to certain actors. However, the way this group behaves – Black Shadow – is not like in other cases of redemption. As a result, experts seem to have little reason to negotiate with them because even if the ransom is paid, it is far from certain that the group will stop posting information on the Internet.
“Procurement software manufacturers have a reputation for maintaining it,” said Atonathan Klinger, a lawyer specializing in the Internet and information law, in what is referred to in the industry as threat actors or hacking teams. “Every such organization has a history and knows that if it pays off they will not publish the files they stole – otherwise they will lose their credibility, and thus the opportunity to be paid next time.” On the other hand, the Shirbit attackers seem to want to sow destruction and create shame for the PR for the Israeli company. They could be amateurs, but they could also be a group with a foreign country behind them, too. For now, the first is a more common assessment.
Why is this important?
The Shirbit incident is important in two ways: First, his clients suffered. The people who provided the company with their most trusted information – and Shirbit failed to protect it. Now this information can be used to exploit all kinds of network accounts, they can be the target of spam – and even be the target of extortion. Even more seriously, such information could be an advantage for terrorist groups or hostile intelligence agencies.
Second, the incident is very important from a general perspective: It reveals an inadequate level of information security of many Israeli organizations. Shirbit is under government supervision because it is an insurance company and provides services to the state. Therefore, it is allegedly required to follow the strict “cyber risk management” regulations set by the Capital Market Authority. But what good is a web site if it simply “blends in” with everything else out there?
Shirbit is in trouble. Her website has been down for days. Spends huge sums of money on consultants and restores backups to their computer systems, as well as deploying new protection mechanisms. Following this week’s events, Shirbit will face a number of lawsuits, some of which have already been filed. The regulator will have to investigate the incident and draw its own conclusions, which will likely include penalties and sanctions for the insurance company.
Shirbit will also have to assess its own management and many senior executives may lose their jobs. But even worse than any of these things: The company will lose the trust of its customers.
What is the lesson?
Every CEO in Israel should look into the Shirbit affair and say, ‘This can happen to me. They should then convene a meeting of their senior management and discuss information security immediately. The board of directors should take this issue seriously. Finally, regulators – who jump to every other breach – need to start seriously overseeing the security of organizational information.