Pay2Key hackers claim they breached IAI servers

Major defense contractor is the most recent victim in a string of cyberattacks on Israeli companies

Rapahel Kahan and Ynet 20:1020.12.20
Hackers from the Iran-linked Pay2Key group exposed on Sunday a new database of names it claims it stole off servers belonging to Israel Aerospace Industries’ subsidiary Etla Systems.


Among the names was Camila Edry, the company’s head of cyber projects development. "IAI might think they have the most protected network, but this should be backed with proof," the hackers wrote teasingly alongside the list.


IAI headquarters. Photo: Avi Mualem IAI headquarters. Photo: Avi Mualem
The group also wrote that the most "interesting part" of Elta Systems’ servers would be access to the company's files - which include various classified projects, videos, and research.


IAI is Israel’s largest aerospace and defense company specializing in developing and manufacturing advanced weapons and defense systems for all branches of the military as well as cyber and homeland security. Elta is one of Israel’s leading defense electronics companies, developing and manufacturing radars, early warning systems, communication and intelligence technologies, electronic warfare technologies, and cybersecurity products.


"Do I have possession of them? Who knows," the hackers wrote.


No ransom demands have been made publicly so far.


Pay2Key malware has been used to blackmail several Israeli companies throughout the last two months. Most recently it announced it had breached the servers of Intel owned Habana Labs.


The Pay2Key malware is not as sophisticated as the tools used to carry out the massive cyberattack against U.S. targets that has been revealed in recent days. But it should not be taken lightly. According to the group’s pattern of behavior, they will attempt to sell any data they managed to steal back to IAI, and if negotiations break down may try their luck on the open market.


Israeli cyber experts estimate that Pay2Key is not officially linked to the Iranian regime, but it is based in Iran or operated by Farsi-speaking hackers. Their actions are believed to be financially motivated, and not for spying or strategic purposes.