Hack-and-leak group Black Shadow keeps targeting Israeli victims

The group is one of a number of hacking outlets carrying out ransomware incidents from the Middle East, according to Microsoft specialists.
israel cybersecurity

In October, a little-watched hacking group called Black Shadow went public with data it appeared to have stolen from an Israeli LGBTQ app, doxing users in a way that seemed intended to send a message.

The breach was the result of a larger incident at Cyberserve, a web hosting company that also yielded sensitive information from the Machon Mor Medical Institute — which included medical data on roughly 290,000 patients — and other firms that possessed information about Israeli citizens. While the international media sorted through the fallout of the intrusions, security personnel reminded observers that the same hacking group previously breached Shirbit, an Israeli insurance firm, in December 2020, demanding a series of escalating ransom payments that analysts suggested weren’t motivated by money at all.

Instead, experts now say, the recent uptick in activity from Black Shadow — a group that’s still shrouded in mystery, though it appears to be aligned with Iranian government interests — is the latest evidence of a broadening conflict between Iranian actors and outside actors, primarily Israel. While both sides have reportedly utilized hacking resources aimed at data theft and conventional espionage, Black Shadow seems to be an attention-seeking effort more along the lines of an information operation, experts say.

That the group published data such as the names and passwords for users’ accounts on the LGBTQ dating site Atraf, which also included sexual orientation and HIV status, betrays the intent of the attack, experts say.


“The high sensitivity of the information that they decided to publish makes you wonder,” said Lionel Sigal, a former Israeli intelligence official and the current head of cyber threat intelligence at CYE, an Israel-based cyber security firm.

The model of combined hacking with information operations apparently designed to cause embarrassment or sway public opinion is not new. That the Black Shadow incidents roughly coincide with a festering digital conflict between Iran and Israel — a large number of gas pumps in Iran were hacked and taken offline in late October in an apparent attempt to sow anger at the government — is yielding new lessons.

“It’s a strategic way that countries can pass messages to each other or create some kind of deterrence,” Sigal said. “I think it’s a growing phenomenon.”

Black Shadow’s approach appears to be straightfoward: Hack targets that have some sort of connection to the Israeli government, or could be used to terrorize Israeli citizens. Announce the company has been hacked, thereby garnering maximum media coverage, and then demand a ransom that grows exponentially in a short period of time.

Key to the approach is posting data either to websites or via Telegram channels. The Israeli government has successfully lobbied the chat platform to remove some accounts, but others quickly pop up under another name.


The group is thought to be operated in conjunction with the government of Iran, Sigal and others say, as part of the ongoing back and forth between the two countries that involves both cyberattacks and physical actions.

A website purportedly belonging to Black Shadow posts data apparently stolen during its hacks, such as a Nov. 18 post of personal identification records of Israelis sourced from old Shirbit data. The site was originally registered in 2016, but went dormant by November 2017, according to internet registration records. It spun back up in May of this year and began posting links to download the data stolen in the group’s hacks, and remains accessible.

An attempt to contact the group through information posted to the site was unsuccessful.

The group is among a crop of apparently Iranian-based hacking groups.

Amitai Ben Shushan Eherlich, a threat intelligence researcher with cybersecurity firm Sentinel One, said Black Shadow is “one of several” extortion aliases used by a group the firm calls “Agrius,” which has employed a series of sometimes sophisticated attacks against primarily Israeli targets starting in 2020.


Microsoft’s Threat Intelligence Center on Nov. 16 published research examining “a gradual evolution” of malicious Iranian hacking activity. Such hackers, including the Black Shadow group, are increasingly using ransomware to either collect funds or disrupt targets, Microsoft’s analysts noted, while also showing more patience and persistence.

The Microsoft research concluded that Iranian hackers are evolving into “more competent threat actors” who can carry out attacks in a variety of ways for a variety of purposes.

Another group emerged in September calling itself “Moses Staff” with similar tactics, such as targeting Israeli companies, leaking data, and encrypting networks, according to the Israeli firm Check Point. That group’s messaging was explicitly political and had no ransom demand. Moses Staff had some similarities to Black Shadow, Check Point said, and another group called Pay2Key.

“It’s all the same,” said Omri Segev Moyal, the CEO and co-founder of Israeli security firm Profero.

The way Black Shadow courts media attention and chooses its targets makes it more likely an intelligence-backed operation rather than a military one, Moyal added.


The group, like other named hacking groups believed to be associated with nation states, gives governments plausible deniability. “Cyber attribution is hard, but in this case it does look like [Iran],” Moyal said.

The Department of Homeland Security Agency’s Cybersecurity and Infrastructure Security Agency — along with the FBI and top agencies in the U.K. and Australia — warned on Nov. 17 of an Iranian government-sponsored hacking group exploiting known vulnerabilities in targets around the world, including in the U.S. and Australia.

The hack-and-leak aspect of the group’s activity can be devastating, Sigal said. The LGBTQ data may have outed people against their will, and also included data on some users’ HIV status. The context of the activity, he said, “is the context of war.” Whereas in the past Iranian-backed organizations executed physical attacks on Israeli targets, by bombing a bus, for instance, this kind of Black Shadow attack targets civilians in a different way.

The U.S. government has also accused Iran of directly targeting U.S. citizens.

The Department of Justice on Nov. 18 unsealed charges against two Iranians accused of stealing private U.S. voter registration data and targeting some voters with emails threatening violence if receipients did not vote for Donald Trump. The emails, which purported to be from the Proud Boys, a violent, right wing nationalist organization, were one relatively unsophisticated part of a sprawling plan to interfere in the 2020 U.S. elections, prosecutors said.


In somewhat similar fashion, the Black Shadow activities strike some experts as unsophisticated. On their own, they’re not as sophisticated or complex as other state-backed groups, even Iranian, Moyal said. From a technical perspective, the group’s capabilities are “super weak,” he said. “They are not intelligent at all,” typically scanning for known vulnerabilities in technology made by commercial firms like Fortinet and Microsoft.

Ari Eitan, the vice president of research at cybersecurity firm Intezer, echoed that the methods are not sophisticated. “Despite the fact that it may seem like they are creating a lot of damage, I like to think that they are basically script kiddies with good PR,” he said.

AJ Vicens

Written by AJ Vicens

AJ covers nation-state threats and cybercrime. He was previously a reporter at Mother Jones. Get in touch via Signal/WhatsApp: (810-206-9411).

Latest Podcasts