Black Shadow hackers leak medical records of 290,000 Israeli patients

After releasing full database of LGBTQ dating website, Iran-linked group publishes directory from Machon Mor medical institute including information on treatments and appointments

Illustrative: Hadassah Ein Kerem medical staff work in the coronavirus ward of the hospital in Jerusalem, on August 25, 2021. (Yonatan Sindel/Flash90)
Illustrative: Hadassah Ein Kerem medical staff work in the coronavirus ward of the hospital in Jerusalem, on August 25, 2021. (Yonatan Sindel/Flash90)

In its second major leak in a day, the Black Shadow hacking group on Tuesday night uploaded what it said was the full database of personal information from Israel’s Machon Mor medical institute, including medical records of some 290,000 patients.

The directory reportedly includes information on patients’ blood tests, treatments, appointments for gynecologists, CT scans, ultrasounds, colonoscopies, vaccinations for flights abroad, and more.

The documents reportedly include correspondence from patients with requests including medical appointments, the need for procedures and test results.

Earlier Tuesday, Black Shadow released what it said was the full database of personal user information from the Atraf website, an LGBTQ dating service and nightlife index.

The group uploaded the file to a channel on the Telegram messaging app after a ransom demand of $1 million in digital currency to prevent the leak was apparently not paid.

The group wrote, in broken English, “48 hours ended! Nobody send us money. This is not the end, we have more plan.”

The group also posted screenshots of what it said were negotiations over the ransom. In the images of the conversations, Black Shadow supposedly refuses a ransom of $500,000. CyberServe denied negotiating with the hackers.

Black Shadow is a group of Iran-linked hackers who use cyberattacks for criminal ends, according to Hebrew media reports.

Cyber experts immediately warned against downloading the file the group had released.

The data leak has caused concern among those users of the Atraf site who have not publicly disclosed their sexual orientation or gender identification.

As the ransom deadline passed on Tuesday, the group uploaded the file, which they said contained the names of Atraf users and their locations, as well as the HIV status that some users had put on their profiles.

Yoram Hacohen, head of the Israel Internet Association, said, “This is one of the most serious attacks on privacy that Israel has ever seen. Israeli citizens are experiencing cyber terrorism.”

“This is terrorism in every sense and the focus now must be on minimizing the damage and suppressing the distribution of the information as much as possible,” Hacohen told the Ynet news site.

He argued Telegram was partially responsible for the incident, and that tech companies should act to limit the spread of the private information on their platforms. He also called on Israel to use legal and technological means to remove damaging information online.

The group had initially hacked the CyberServe Israeli internet hosting company on Friday, taking down its servers and a number of sites, among them Atraf.

On Sunday morning, Black Shadow said in a statement that it was “looking for money” and would not leak further information if the ransom was paid within 48 hours.

“If we have $1 million in our [digital] wallet in the next 48 hours, we will not leak this information and also we will not sell it to anybody. This is the best thing we can do,” the hacking group said, noting that it was in possession of users’ chat content, as well as event ticket and purchasing information.

A person speaks on their phone during an annual Gay Pride Parade in Jerusalem, on June 3, 2021. (Olivier Fitoussi/ Flash90)

The hackers said that they had not been contacted by anyone in the Israeli government or CyberServe. The hackers said the lack of contact showed it was “obvious [the hack] is not an important problem for them.”

Israel’s National Cyber Directorate said Sunday it had previously warned CyberServe that it was vulnerable to attack.

The cyber attack also hit other websites, including the Israeli public transportation companies Dan; Kavim, a children’s museum; tourism company Pegasus; and Doctor Ticket, a service that could have sensitive medical data, according to Hebrew media.

Black Shadow claimed responsibility for the attack and published what it said was client data including the names, email addresses, and phone numbers of Kavim clients on Telegram.

Hours later, the group said it had not been contacted by authorities or CyberServe, so it released another trove of information, including what it said was data pertaining to clients of the Dan transportation company and a travel agency.

The group breached Israel’s Shirbit insurance firm in December last year, stealing data. It demanded a $1 million ransom and began leaking the information when the firm refused to pay.

The new attack comes after an unprecedented, unclaimed cyberattack wrought havoc on Iran’s gas distribution system this week, which Tehran officials have blamed on Israel and the United States.

Iran and Israel have been engaged in a so-called “shadow war,” including several reported attacks on Israeli and Iranian ships that the two have blamed on each other, as well as cyberattacks.

In 2010, the Stuxnet virus — believed to have been engineered by Israel and its ally the US — infected Iran’s nuclear program, causing a series of breakdowns in centrifuges used to enrich uranium.

Most Popular
read more: