Israel blames state-sponsored Iranian hackers for ransomware attack on university

Israeli cybersecurity officials on Tuesday blamed hackers sponsored by the Iranian government for a ransomware attack on the country’s leading technology university.

The attack in February forced the Israel Institute of Technology, also known as Technion, to postpone exams and shut down its IT systems. The incident followed what Israeli defense officials said were dozens of attempted Iranian cyberattacks over the past year.

Hackers from a previously unknown group calling itself DarkBit claimed responsibility in a note left on Technion’s systems demanding 80 bitcoins ($1.7 million at the time) to enable the university to recover its files.

The note was unusually ideological, criticizing “an apartheid regime” and stating: “They should pay for their lies and crimes, their names and shames. They should pay for occupation, war crimes against humanity, killing the people (not only Palestinians’ bodies, but also Israelis’ souls) and destroying the future and all dreams we had.”

Israel's National Cyber Directorate on Tuesday attributed the attack to a threat group tracked as MuddyWater, which last year U.S. Cyber Command linked to the Iranian Ministry of Intelligence and Security.

British and American authorities subsequently issued a warning about the hacking group, saying it was targeting a “range of government and private-sector organizations across sectors — including telecommunications, defense, local government, and oil and natural gas — in Asia, Africa, Europe, and North America.”

While Israel and Iran have never been in a declared war against each other, the countries have repeatedly blamed each other for cyberattacks targeting civilian infrastructure, including a steel plant in Iran. Iranian hackers have been blamed for attacks on water systems in Israel.

The attack on the university in Haifa is not the first time that Iranian state-sponsored hackers have been linked to ransomware incidents. A French-Venezuelan cardiologist called Moises Luis Zagala Gonzalez was charged by the U.S. Department of Justice last year with developing the Thanos ransomware and allegedly boasting about it being used by Iranian government-linked hackers.

Another advisory issued in 2022 by cyber authorities in the United Kingdom, United States, Australia and Canada — members of the Five Eyes intelligence alliance — warned that “cyber actors affiliated with Iran’s Islamic Revolutionary Guard Corps are exploiting vulnerabilities to launch ransomware operations against multiple sectors.”