Israel blames prolific Iranian-linked hacking group for February university hack

A prolific hacking group affiliated with the Iranian government is responsible for the Feb. 11 cyberattack on Technion University in Israel, the Israeli government said Tuesday.

Israel’s National Cyber Directorate attributed the attack to a well-known and long-running Iranian-linked hacking group known as “MuddyWater,” saying that the group used malware designed to encrypt operating systems, according to a statement from the agency provided to CyberScoop Wednesday.

The statement warned that the “month of Ramadan, which this year begins in the end of March, is prone to cyberattacks against diverse targets in Israel, aiming to disrupt their business activities and sully their reputation.”

MuddyWater — also known as Earth Vetala, MERCURY, Static Kitten, Seedworm and TEMP.Zagros —  has a prolific history attacking targets around the world dating back to at least 2015. The U.S. government publicly linked to the Iranian Ministry of Intelligence and Security for the first time in January 2022, when U.S. Cyber Command shared a series of malware samples associated with the group on VirusTotal. A joint advisory from the U.S. and British governments in February 2022 called MuddyWater “a group of Iranian government-sponsored” hackers conducting cyber espionage and other malicious cyber activities targeting telecommunications, defense, local government and oil and natural gas targets in Asia, Africa, Europe and North America.

Advertisement

An October 2020 report from Israeli cybersecurity firms Profero and ClearSky examined attempted MuddyWater attacks on multiple “prominent Israeli organizations” and concluded the group was “attempting to employ destructive attacks .. disguised as ransomware attacks.”

A group calling itself “DarkBit” launched a Telegram channel Feb. 11 and announced its attack on the university, one of Israel’s premiere technological universities. The group demanded roughly $1.7 million in Bitcoin, posing as a hacktivist group that attacked the university because it represented the “technological core of an apartheid regime.” The attack disrupted operations at the school over a period of several days.

A representative of Israel-based cybersecurity firm Check Point told CyberScoop after the initial attack that the incident had indications of an “ideological” attack with “possible links to Iran.”

On Feb. 22 the group posted a second message to its Telegram channel saying that the university was not cooperating with them and instead listened “to the stupid consultants of the racist government.” The message said the group was selling different batches of files it had stolen from the school, or all of them together for 104 Bitcoin (roughly $2 million).

A message sent to a messaging service address published by DarkBit was not immediately returned.

Alternate Text Gọi ngay