Pay2Key hacking group, which is suspected of having links to Iran, has indirectly claimed responsibility for a recent cyberattack on state-owned Israeli Aerospace Industries (IA), one of the country’s largest aviation manufacturers.
The group posted a dubious message on its Twitter account, announcing that “tonight” was “longer than longest night” for IAI.
— Winter is coming (Pay2Key) (@PKeytwt) December 20, 2020
It also claimed to have unleashed a password of Elta subsidiary’s systems administrator, Koby Fiada, without giving any further details into the breach.
@kobyfiada still using kf79176 on @ILAerospaceIAI ?🗝️
— Winter is coming (Pay2Key) (@PKeytwt) December 20, 2020
The manufacturer told the Times of Israel that they were now investigating a suspected attack carried out against its subsidiary Elta.
Israeli information scientist Karine Nahon said on Twitter on Sunday that there was “no evidence of actual damage” at Israeli Aerospace Industries following the suspected break-in, but later announced that Pay2Key hackers have released “hundreds” of employee data files on the DarkWeb, citing the example of the released profile of a staffer named Zvika Weiss.
נכון לעכשיו ההאקרים Pay2Key העלו קובץ עם שמות המשתמשים מהתעשיה האווירית בדארקווב. כך נראה המידע לגבי משתמש אחד.
— Karine Nahon • קרין נהון (@karineb) December 20, 2020
צביקה וייס. היוזרניים שלו במערכת התעשיה zw93288.
יש מאות כאלה בקובץ.@NevoTrabelsy pic.twitter.com/Qy2eFuq4tX
Not a New Attack?
According to Tel Aviv-based ClearSky Cyber Security researchers, Pay2Key specialises in ransomware attacks that tend to block access to victims’ computers in exchange for a reward. They believe that the hacking campaign is linked to “Iranian APT group” Fox Kitten, “that began a new wave of attacks that entailed dozens of Israeli companies in July-August 2020”.
In a report released shortly before the claimed IAI attack, ClearSky says that in October and November Israeli industrial, insurance and logistics companies were targeted by a wave of Pay2Key’s suspected cyberattacks that compromised firms' accessibility and info, with hackers penetrating into their internal networks.
In December, the attackers were able to breach Israel’s Amital Data software company using the ransomware file from November, the report claims. This attack has allegedly then spread to “over 40 firms from Israel” while “leveraging Amital’s network with a supply chain attack method”.
According to Tel Aviv researchers, the campaign was “a part of the ongoing cyber confrontation between Israel and Iran, with the most recent wave of attacks causing significant damage to some of the affected companies”.
They also added that the Pay2Key’s goal was “to create panic in Israel”.
