One of Israel’s leading research Institutes, Technion Institute of Technology, has been attacked by a new ransomware group known as “DarkBit”. The academic institution is currently involved in incident response activities to determine the scope and cause of the incident. “The Technion is under a cyber attack. The scope and nature of the attack are under investigation. To carry out the process of collecting the information and handling it, we use the best experts in the field, both within The Technion and outside, and coordinate with the relevant authorities. The Technion has proactively blocked all communication networks at this stage,” reads the university’s statement. The ransom note dropped by DarkBit is packed with messages criticizing tech layoffs and advancing anti-Israel propaganda, as well as demanding a ransom. The attackers requested 80 Bitcoin, or around $1,745,200, in exchange for the release of the decryptor. While Technion’s cyber systems may be impacted, the university’s campus is operating as usual. “The work day tomorrow on campus will proceed as usual, with the exception of the postponed exams. The instructions published in the morning regarding participation in public activities due to a day off remain unchanged. We will continue to update when we have more information,” stated the Institute.
Analyst Notes
The previously unknown DarkBit gang appeared only this week, and its location is unknown. However, the attackers gave some indicators about their intentions in the ransom note and on their Telegram and Twitter channels. At first look, DarkBit’s operations appear to be hacktivism because of their opposition to “racism, fascism, and apartheid,” but the group’s goals are more complex. Hackers seek to hold Israel accountable for “war crimes against humanity” and “firing high-skilled experts” while denouncing it as an “apartheid regime”. “A kindly advice to the hight-tech companies: From now on, be more careful when you decide to fire your employees, specially the geek ones [sic],” DarkBit said in a subsequent tweet. It appears that DarkBit launched the attack as revenge for potential member layoffs. Threat actors imply that firing highly technical staff members without due diligence can jeopardize an organization’s security position. Some fired workers may have insider information that may allow them to gain easier access to an organization’s network.
https://www.bleepingcomputer.com/news/security/ransomware-hits-technion-university-to-protest-tech-layoffs-and-israel/