Israeli Universities Hit by Supply Chain Cyberattack Campaign

Iranian hacktivists executed a supply chain attack on Israeli universities by initially breaching systems of a local technology provider to the academic sector.

The self-styled Lord Nemesis group boasted online that it used credentials snatched from Rashim Software to break into the systems of the vendor's clients, universities, and colleges in Israel. The hack-and-leak operation began on or around November 2023, according to Op Innovate, an incident response firm that assisted one of the victim universities. According to the firm, it is "highly likely" that student data of that institution was exposed as a result of the cyberattack.

Rashim — a provider of academic administration software, including a student-focused CRM package — did not respond to inquiries from Dark Reading on the alleged breach.

Hacking Weak Access Controls

In a detailed blog post, Israeli security consultancy Op Innovate said the hacking operation on Rashim relied on a combination of weak access controls and shaky authentication checks.

Rashim kept an admin user account on at least some of its clients' systems, Op Innovate found. "By hijacking this admin account, the attackers were able to access numerous organizations by using their VPN [virtual private network] that relied on the Michlol CRM [customer relationship management], potentially compromising the security of these institutions and putting their data at risk," the IR and consulting firm wrote in its report.

Stronger authentication controls would normally offer a barrier against this kind of attack, but Rashid relied on email-based authentication. So after the attackers compromised Rashim's Microsoft Office365 infrastructure as part of a wider attack targeting its databases and other systems, email authentication fell apart as a defense.

Nemesis Kitten

On March 4, four months after the initial breach, Lord Nemesis used its access to Rashim's internal Office365 infrastructure to send the software company's clients, colleagues, and partners a message from the company's email account announcing that it had "full access to Rashim's infrastructure."

The Iran-based hacktivists separately uploaded videos that purportedly document how they were able to delete branches from Rashim's databases. They also leaked personal videos and images of Rashim's CEO in an apparent attempt to harass and intimidate the company.

Lord Nemesis, also known as Nemesis Kitten, initially emerged in late 2023, and the Rashim breach represents the newly formed group's first significant cyberattack.

Roy Golombick, CMO at Op Innovate, told Dark Reading that exactly how the attackers first gained entry to Rashim Software's systems remains confidential due to an ongoing investigation into the incident.

Golombick shared some details of the hacktivists' tradecraft, however. "The group used a known malicious IP from a local proxy server to Israel, thus overriding geo-blocking. This IP provided our research team with a valuable IOC [indicator of compromise] to identify access attempts," Golombick explained.

Op Innovate was able to confirm that Lord Nemesis operatives had successfully hijacked the admin account of Rashim Software, which held privileged access to the institute's student CRM system.

"Exploiting these elevated credentials, the attackers connected to the institute's VPN outside of regular business hours and initiated data exfiltration," according to Op Innovate's report.

Log analysis revealed that the attackers had targeted servers and databases, including a SQL server containing sensitive student data. However, Op Innovate was unable to find definitive proof that personal student data was stolen as a result of the attack, but nonetheless concluded that such sensitive information likely was exposed.

The cyberattack appears limited to entities in Israel. "To our knowledge, and based on the attacker group's Telegram channel, it appears that the attack specifically targets Israeli organizations," Golombick says.

Software Supply Chain Risk

The attack illustrates the risk to organizations stemming from their reliance on third-party vendors and partners. Rather than hitting a targeted organization directly, attackers are increasingly finding it easier to breach software or technology suppliers through supply chain attacks that provide them a steppingstone to multiple prospective victim networks.

Golombick compared the attack on Rashim and its customers to the earlier "Pay2Key" campaign launched against the Israeli shipping and logistics sector in December 2020. Both incidents illustrate the importance of taking proactive steps to minimize supply chain risk.

"This includes implementing MFA [multi-factor authentication] on all users, not least those used by third party vendors, and monitoring accounts for suspicious behavior such as out-of-hours activity" and other red flags, Golombick advises.

Not surprisingly, he also recommends having a reputable IR firm on retainer "to ensure swift response to make those early critical hours count," he says.