One of Israel’s top research colleges, Technion – Israel Institute of Technology, has been attacked by a new ransomware organization known as “DarkBit.” Aside from the organization seeking a $1.7 million payment, the ransom note provided by DarkBit is packed with messages criticizing tech layoffs and advancing anti-Israel propaganda. The academic institution, with its headquarters in Haifa, is now engaged in incident response operations to ascertain the extent and origin of the occurrence.
“The Technion is under a cyber attack. The scope and nature of the attack are under investigation,” stated the university in Hebrew. “To carry out the process of collecting the information and handling it, we use the best experts in the field, both within The Technion and outside, and coordinate with the relevant authorities. The Technion has proactively blocked all communication networks at this stage.”
On the university’s systems, the new “DarkBit” ransomware organization placed a note demanding payment of 80 Bitcoin, or around US$ 1,745,200, in exchange for the release of the decryptor. The attack occurred on or before February 12th, 2023, according to the date displayed on the PC in the image above. The Institute’s webpages are unavailable, most likely because the institution disabled all network access during the attack. The campus operations of Technion remain unaffected, even though the university’s cyber infrastructure may be.
“The work day tomorrow on campus will proceed as usual, with the exception of the postponed exams,” says the Institute. “The instructions published in the morning regarding participation in public activities due to a day off remain unchanged. We will continue to update when we have more information.”
The previously unknown “DarkBit” gang emerged this week, and it is unknown where it may be. However, the attackers give some indicators about their intentions in the ransom message and on their Telegram and Twitter accounts. At first look, DarkBit’s operations may appear to be hacktivism because of their opposition to “racism, fascism, and apartheid,” but the group’s goals appear to be more complex.
It’s challenging to define DarkBit at this time, given that the organization calls attention to tech layoffs, uses the slogan #HackForGood in its Twitter bio, and the ransom note contains anti-Israel themes. Attackers using DarkBit seek to hold Israel accountable for “war crimes against humanity” and “firing high-skilled experts” while denouncing it as an “apartheid regime.” Depending on how one reads the language, it appears that DarkBit launched the attack as retaliation for potential member layoffs.
“DarkBit has gone from hacktivist, to ransomware group now to a disgruntled former employee all in one day,” comments cybersecurity analyst Dominic Alvieri.
Threat actors indicate that firing highly technical staff members without due diligence can jeopardize an organization’s security position. Even after being fired, some laid-off (and angry) workers may retain insider information that allows them more accessible access to an organization’s computer networks. Should the institution refuse to pay, the organization has threatened to add a 30% penalty to the already high ransom demand. The attackers also say that they will be selling any stolen data after five days.