This hacker has targeted an Israeli university and is seeking two bitcoins in exchange for access to its data. The university is not willing to pay. We spoke with them to find out more.
In the middle of August, we reported on a cyberattack on Bar Ilan University, one of Israel’s most prestigious academic institutions.
The ransomware attack encrypting the university’s systems (computers, networks, and data) and demanding a payment to unlock the files and return them to their rightful owners was a classic case of cybercrime.
The academic institutions used both internal and external consultants and specialists to deal with what was described at the time as “a minor event that will not impede studies and activity at the university from continuing as planned.”
Despite Bar Ilan University’s best efforts to downplay the issue, it turns out that this was only the beginning: the hacker who carried out the attack not only encrypting the university’s computer files, but also stealing material from Bar Ilan – and a lot of it.
The hackers claim to have over 20 terabytes of data from the university and are demanding 2 bitcoin (approximately $94,000) in a conversation with Haaretz using the Telegram messaging service.
This is referred to as “double extortion,” because the prospect of having your stolen data sold is the second threat the victim faces after coping with the original data loss and payout demand. The sale of stolen data may result in extra secondary losses for the victim, who may be exposed once their information, as well as that of their clients, is sold online, for example.
During the coronavirus pandemic, double and triple extortion attacks have become increasingly widespread, with hackers even reaching out to clients of their victims to try to compel them to pay them.
We met with the hackers responsible for the Bar Ilan attack, and we can now share new details about the attack: First and foremost, they claim to have hacked into Bar Ilan’s network via the remote work system employed – what is known as RDP, or a remote desktop protocol.VPNs and other systems, like as RDP, that allow employees to access professional networks from home proved to be cybersecurity’s Achilles’ heel during the coronavirus, and many assaults leverage remote-working technologies to attack businesses.
According to the hacker, the system’s security was poor in this situation – or, at the very least, the password used on the infected PC was insufficient. The computer that was hacked and exploited as a gateway to the rest of the university’s system was a computer in Bar Ilan’s Life Sciences Faculty’s nanotechnology centre.The computer was one of their tenured teachers’ personal computers (Haaretz has chosen not to publish their name).
A discussion with a hacker
During our talk, the hackers stated that they stole “personal records, academic papers, working papers and documents, grant proposals, coronavirus research, as well as the identities and emails of students and teachers, among other things.”
“The database is above 20 terabytes,” the hackers claim. The hackers even uploaded a sample file of 55 megabytes that included various data to back up this allegation and substantiate the ransom demand.
Haaretz obtained this “dump” in order to determine what information was taken.We discovered ID numbers, driver’s licences, insurance policies and data, worker timecards, academic research papers, and invoices for scientific equipment ordered by researchers for several labs in the sample file they posted. The hackers also appear to have personal images, which were most likely taken as part of a family gathering by a faculty member and then saved on their work computer.
During the actual attack, the hacker utilised infected machines to publicise their ransom demand. The exploitation of victims’ computers to disseminate a ransom letter is another new technique that has emerged among cyber thieves during the coronavirus.The hackers demanded $10,000 for each system they had broken into at the time of the attack. The hackers claimed to have attacked 250 servers, but the actual number is closer to 10.
“I had access to their main directory,” the hackers told us over Telegram, attaching a screenshot of what they claim is the primary file director for the entire university’s database. The hacker demanded for the ransom to be paid in cryptocurrency, but not bitcoin. Instead, they asked the university for the money to be handed out in “Monero,” another digital coin famed for its anonymity.However, when they try to sell the stolen data on the dark web today, they have changed currencies and are now asking for two bitcoin, which is equivalent to approximately 300,000 shekel.
When asked why they asked for monero first and then switched to bitcoin, the hacker said it’s “because bitcoin is far more popular than monero, so more people can pay with it.”