Iran-linked hackers say they breached Israeli cyber security firm Portnox

Pay2Key hacking group leaks documents from leading Israeli companies, latest in series of ransomware attacks tied to outfit researchers have traced to Iran

Illustrative: A cybersecurity expert stands in front of a map of Iran as he speaks to journalists about the techniques of Iranian hacking, on September 20, 2017, in Dubai, United Arab Emirates. (AP/Kamran Jebreili)
Illustrative: A cybersecurity expert stands in front of a map of Iran as he speaks to journalists about the techniques of Iranian hacking, on September 20, 2017, in Dubai, United Arab Emirates. (AP/Kamran Jebreili)

The hacking group Pay2Key, which has been linked to Iran, said Thursday it hacked the computer systems of the Israeli cyber security company Portnox, days after the same group hacked Israel Aerospace Industries.

The hacks were the latest in a series of cyberattacks on Israeli firms in recent months.

The hacking group published documents related to firms using Portnox’s services, including Bezeq, Elbit, El Al, the Clalit health provider and more, according to the Ynet news site. The firms are some of Israel’s most prominent companies.

Pay2Key said it seized almost 1 terabyte of data and has published just 3 gigabytes of it.

The documents it released on Thursday included a 15-page report from 2018 that detailed weaknesses at Elbit, a major Israeli defense company, according to the Walla news site. The report noted that the information in the report was likely outdated and no longer relevant.

Portnox is a privately held firm established in 2007 that works in computer and network security. It is based in the central Israeli city of Ra’anana and has offices in the US and Europe, according to its website.

Portnox said in response to reports of the attack: “Several hours ago it was published that our internal servers may have been breached by a group known as Pay2Key. We are currently conducting an intensive investigation in order to understand the scope of the event.”

Israeli cyber security firm Check Point issued a warning about Pay2Key in November after a series of attacks on Israeli companies. The hacking group installs ransomware in its victims’ networks, which allows hackers to take control of data or systems, and threatens to leak corporate data, then demands Bitcoins as a ransom payment, the warning said. Check Point traced some of the transactions back to a Bitcoin exchange based in Iran.

On Sunday, Pay2Key claimed to have breached Israeli Aerospace Industries’ computer systems. The hacking group also mentioned a systems administrator at the defense contractor’s Elta subsidiary by name, Koby Fiada, revealing his password.

The Israeli cyber security firm ClearSky, which released a report on Pay2Key three days before the alleged IAI hack, said the group was likely an offshoot of an Iranian hacking cooperative known as Fox Kitten.

“We estimate that this campaign is part of the ongoing cyber confrontation between Israel and Iran, with the most recent wave of attacks causing significant damage to some of the affected companies,” ClearSky wrote last week.

According to ClearSky, though Pay2Key portends to be an outfit specializing in ransomware, the group is in fact conducting cyberattacks on Israeli companies as part of an ongoing campaign against the Jewish state by Tehran.

“We estimate with a medium level of confidence that this campaign (Pay2Key) is part of Iran information warfare aimed to create panic in Israel and in other countries worldwide,” the cyber security company said.

The alleged hack of the Elta subsidiary came after a major cyberattack — also by Pay2Key, according to ClearSky — earlier this month hit dozens of Israeli logistics companies, with hackers making off with information from servers, according to a report of the incident by one of the victims, Amital Data, filed to the Tel Aviv Stock Exchange.

An investigation found that there may have been 15-20 additional companies, not Amital clients, that were also targeted in the attack, although the full list is still unknown, the Calcalist website reported.

Iran was believed to be the likely culprit.

There have been at least five suspected Iranian cyberattacks on Israel during 2020, including one that targeted its water infrastructure.

Iran and Israel have reportedly been engaged in a cyber war that has become more intense over the past year.

Separately, last week, hackers who had stolen a mass of personal details on clients of the Shirbit Insurance company apparently began selling the information on the internet.

read more:
Never miss breaking news on Israel
Get notifications to stay updated
You're subscribed