Black Shadow Group Leaks Israeli Patient Records, DataLatest Hacks Come in Wake of Surge in Attempted Attacks on Healthcare Sector
Less than a month after Israeli officials warned of a wave of attempted cyberattacks on the nation's healthcare sector, the Black Shadow hacker group, which allegedly is linked to Iran, has reportedly leaked sensitive health records of nearly 300,000 patients of an Israeli network of medical centers.
Local media outlet the Times of Israel on Nov. 2 reported that the stolen medical records of about 290,000 patients from a database of Machon Mor, which operates nearly 30 medical clinics in Israel, were leaked last week by Black Shadow.
The exposed data includes information about patients' blood tests, treatments, appointments, medical imaging scans, colonoscopies and vaccinations, as well as correspondence from patients regarding requests for medical appointments, and the need for procedures and test results, the Times of Israel reports.
Machon Mor did not immediately respond to Information Security Media Group's request for comment.
Earlier the same day as the Macon Mor leak, Black Shadow released what it claimed was the full database of personal user information for tens of thousands of individuals from the Atraf website, an LGBTQ dating service and nightlife index, the Times of Israel reports.
The leaked data about Atraf users included their locations, and in some cases, the HIV status information that users had on their profiles, the Times of Israel reports.
Black Shadow reportedly uploaded the data to a channel on the Telegram messaging app after a ransom demand of $1 million in digital currency to prevent the leak was apparently not paid by the entity, according to the Times of Israel.
The group initially hacked Cyberserve - an Israeli internet hosting company - in late October, taking down its servers and a number of sites, including Atraf, the Times of Israel reports.
Following the October cyberattack on Cyberserve, Israel's national cyber array issued a public advisory calling for affected citizens "to be more vigilant for suspicious emails and messages, change passwords and implement two-step verification in all apps, such as social networks and the bank app."
In recent months, attacks on some other Israeli organizations have been attributed to Black Shadow.
In March, the group reportedly claimed it had hacked Israeli car financing firm K.L.S. Capital and stolen client data, and in December 2020 it leaked thousands of documents containing personal information on the customers of Israel’s Shirbit insurance company. (see: Hackers Steal Data From Israeli Car Financing Company).
Not everyone is convinced of Black Shadow's alleged roles in these incidents.
"It’s hard to know what the group is legitimately responsible for. In the cyber world, anyone can 'hide' or 'introduce themselves' under whatever name they choose," notes Amir Magner, president and co-founder of Israel-based healthcare security firm CyberMDX.
"That means the name 'Black Shadow' can simultaneously be used by multiple, unrelated groups choosing to identify themselves under the same name," he says.
A common characteristic of some of these latest ransomware incidents is attackers using double extortion tactics.
"Prior to encrypting the victim’s databases, the attackers extract large quantities of sensitive commercial information and threaten to publish it unless ransom demands are paid - putting added pressure on enterprises to meet the hackers’ demands." Magner says.
Healthcare providers worldwide are realizing that they are top targets for such cyberattacks, he adds.
"This is not a temporary trend, it is something that is here to stay.
"We see a very high motivation to attack health organizations all over the Western world. There is no doubt that every successful attack, where the attackers see the broad effect it produces, encourages them to continue to attack more health organizations," he says.
Like other developed countries around the world, Israel has an advanced health system with many connected IoT devices and digitally transmitted medical information, Magner notes.
"The same practices that are effective for attackers targeting healthcare entities in Dusseldorf, Singapore or San Diego also can work against health organizations in Israel."
The apparent medical records breach of hundreds of thousands of Machon Mor patients comes just weeks after several Israeli healthcare providers, including Hillel Yaffe Medical Center in the city of Hadera, were targeted by cyberattacks in October.
Israeli cyber officials issued alerts about that activity last month, and Israeli authorities at the time suspected those attacks were linked to Chinese hacker groups (see: More Attempted Cyberattacks on Israeli Healthcare Entities).
“While it’s possible that the attacks on Israeli healthcare facilities have a political motive, it’s best not to overthink this trend," says Saryu Nayyar, CEO of security vendor Gurucul.
Hospitals are part of a nation's critical infrastructure, and there are multiple potential attack vectors that can be exploited, she adds.
"We have seen an uptick in healthcare ransomware in the U.S. and in other parts of the world, in part because healthcare IT systems are complex, with a combination of patient and employee records, billing systems, patient satisfaction, and interconnected medical devices," Nayyar says.