Cyber attack on Technion University: DarkBit group, an unknown group of hackers, attacked the Technion during the night. At the Technion, students are asked to disconnect their computers, cyber experts point to this as a ransom attack and are still trying to understand the scale. Beyond the fact that the Technion website is unavailable, it appears that access to employees’ accounts was controlled by an external party.
● Global reports: Meta plans more layoffs
● Liquidation sale: three transactions from the last two weeks symbolize the new era in high-tech Analysis
● Goodbye Startup Nation? Israel risks losing control of its image in the world Weekend column
The group itself is unknown and has not appeared under this name in the past – but ideological motives against Israel are attributed to it. Other cyber experts estimate that there is a possibility that this is an Iranian group. Various experts point out that the Technion is a quality destination because of the information and its academic role.
A ransom letter received from the attackers and received by Globes reads: “We regret to inform you that we had to break into the Technion network and transfer ‘all’ the information to our secure servers. So, relax, take a breath and think about the apartheid regime that causes trouble here and there. They have to pay for the lies and the crimes . They have to pay for the occupation, the war crimes against humanity, the killing of the people (and not only the bodies of the Palestinians, but also the souls of the Israelis), and the destruction of the future and the dreams we had. They have to pay for the dismissal of very talented experts.”
The attackers write in their message that the private person has nothing to worry about, but the management must pay 80 bitcoins to the wallet written in the message. According to the current value of Bitcoin, the ransom is more than 1.7 million dollars. According to the attackers, you should not try to recover the information, because such an attempt will lead to the demolition and destruction of the information due to the encryption that is there. The attackers gave 48 hours, and if they don’t comply – the ransom will increase by 30%. According to them, within five days, the information will be offered for sale. The message is signed: “Take it seriously, and don’t listen to possible advice from an idiotic government.”
The hackers impersonated the president of the Technion to cause panic
In the posts published through employee accounts it was stated that this was a ransomware attack and the name of this group was stated. The attackers even impersonated the president of the Technion, Prof. Uri Sivan, and posted on LinkedIn in his name that following the attack, he would resign from his position. It is important to note that the president of the Technion does not have a LinkedIn account and never had, so this is a complete fake. In another post already, the following message was written under the name of the “Technion-Jobes” account: “The hackers punished us for the apartheid regime. All systems are without access and our information is missing. So, we must stop all human resources processes temporarily.” As mentioned, the fake post has been deleted.
The National Cyber Array and other companies are involved in the case to help the Technion deal with it. As mentioned, the extent of the information leak is still unclear.
Usher Assur, cyber consultant to the Ministry of Defense and managing partner of the cyber division at the consulting firm Auren Israel: “The Technion people have several options. One is to pay the ransom. However, there is an overwhelming consensus among the cyber community that this is a bad idea. After all, the information is with the attacker and not at all It is certain that the Technion will receive it back following payment. On the one hand, information was stolen, and on the other hand, many components in the software were encrypted by the attacker.”
Asor offers another preferred option: “We need to investigate the process of hacking and the spread of the ransomware using information security researchers, and start the process of purifying and restoring the information backwards, both through the use of backups, and in an attempt to bypass the encryption process of the ransomware.”
Educational organizations in Israel are attacked twice as often as the average
The Technion responded: “At night, a cyber attack was carried out by a group of hackers on the Technion’s servers. The computer systems are currently being tested and therefore proactively disconnected. We are studying the situation, we will continue and update soon.”
Data from the information security giant Check Point shows that educational organizations in Israel are attacked double the general average – 3,383 attacks every week (compared to 1,624 weekly attacks in the general average). According to company experts, educational organizations are preferred targets for attackers as they store valuable personal information. At the same time, these institutions often invest less in defense, and a successful attack on them can generate a particularly widespread echo.
Dr. Harel Manshari, head of cyber at HIT Holon Institute of Technology and founder of the Shin Bet’s cyber system says that everything is preliminary at the moment, but it is possible to identify the group’s intentions based on its actions: “We have to remember that in the past we saw attacks by Iranian proxies that pretended to be ransom attacks as in the case of Shirbit. If they start to publish in a few hours the materials from the system, it will be possible to assume that it is indeed an impersonation of a ransom attack.”
He also added: “It is important to remember that the attack was carried out during the weekend, at night and during the semester break, which means that the activity in the Technion’s computer systems at the time of the attack is relatively low, which means that the degree of damage to the systems may be relatively limited. Here we need to see what the Technion’s backup status is.”
Alex Steinberg, product manager at the information security company ESET says that there are several reasons why the attackers would want to steal the information from the Technion. First, an attack on a political background, “countries like Iran, China and Russia for example can benefit greatly from the information”. Besides, “it is possible that they want to steal the information in order to sell it to whoever is willing to pay for it and thus make a profit.” He also claimed that “in the ransom note that is being distributed, it appears that the attackers are asking for a large amount of money, but this could be disguised for other purposes.”