N3tw0rm Attack: Israeli firms targeted by suspected Iranian group

N3tw0rm notification of ransomware attack

A new group of ransomware hackers quickly becoming known online as N3tw0rm has started effecting users in Israel. Twitter users started picking up the story on 3 May, and now a group called OP innovate who are a cyber security firm and incident response company has stated officially that they are representing several Israeli companies who are victims from this ransomware.

The hacker group and potential motivations

This attack comes six months after Israel was hit with a wave of attacks that we reported on previously. Social media speculation is saying that there are many similarities between N3tw0rm and the hacking group behind Pay2Key known as Fox Kitten that are a group of Iranian hackers involved with the attack on over 80 firms. Their ransomware notifications also looks very similar.

Comparison of N3tw0rm and Pay2Key


Twitter comments expressing similarities between the two groups

N3tw0rm at first seemed to be only financially motivated as they were holding valuable data ransom and demanding payments of Bitcoin but the group started to show signs that they may not actually be interested in financial gains.

This being so, cybersecurity experts are now stating that the real intention of this hack may not be financial gain but rather actually intended to undermine public confidence in Israel’s status as a cyber power or embarrass Israel and create panic. Experts say that there is clear similarity between this attack and the previous wave of attacks such as those on Shirbit insurance company in December.

Shay Pinsker who is a spokesperson from OP Innovate cybersecurity firm says they believe the group who attacked the Israeli companies are Iranian hackers pretending to be Russian.

He said the attack seems to be politically motivated because for example the attackers are asking for a ransom but in the negotiations Pinsker says it became clear they have no real intention of decrypting the data which is behavior reported to be matching with Pay2Key/Fox Kitten.

The firms attacked by N3tw0rm are key parts of the country’s supply chain which is another clue that the group intends to inflict harm in the confidence of Israel in cyberspace.

Impact from N3tw0rm so far

The newest victims being attacked are H&M Israel and Veritas Logistic according to a post from N3tw0rm’s webpage hosted on the dark web. The hackers are threatening to publish 110 gigabytes of H&M’s data and 9 gigabytes of Veritas data that includes sensitive information on clients, invoices, workers details and perhaps even payment information such as credit cards and banking details. If we do see N3tw0rm start to leak  this data online this will be another indication that this group is acting in ways consistent with the previous attacks.

Picture taken from the groups website on the dark web

While not linked to N3tw0rm yet, a company called Matav which is an Israeli nonprofit focused on welfare services said their computer systems were down for 48 hours from an attack but the attack was stopped before any damage was done. The nonprofit provides services to Israeli senior citizens and an attack on a group like this would very much fit the profile of this hacking group as they would severely impact the lives of over 30,000 senior citizens who depend on these services provided by this company.

If it is true that the hackers behind N3tw0rm are also the same people behind Pay2Key, the Shirbit attack and the attempted attack on Matav then there is a high likelihood that the group is state funded and politically motivated  due to the resources needed to carry out such a coordinated and intricate attack.

Let us know if you have more information regarding this event.

Leave a Reply

Your email address will not be published. Required fields are marked *