Israeli Universities Hit by Supply Chain Cyberattack Campaign

Iranian hacktivist group known as Lord Nemesis and Nemesis Kitten targeted an academic sector software firm in Israel to gain access to its customers.

Iranian hacktivists executed a supply chain attack on Israeli universities by initially breaching systems of a local technology provider to the academic sector.
The self-styled Lord Nemesis group boasted online that it used credentials snatched from Rashim Software to break into the systems of the vendors clients, universities, and colleges in Israel. The hack-and-leak operation began on or around November 2023, according to Op Innovate, an incident response firm that assisted one of the victim universities. According to the firm, it is highly likely that student data of that institution was exposed as a result of the cyberattack.
Rashim — a provider of academic administration software, including a student-focused CRM package — did not respond to inquiries from Dark Reading on the alleged breach.
In a
detailed blog post
, Israeli security consultancy Op Innovate said the hacking operation on Rashim relied on a combination of weak access controls and shaky authentication checks.
Rashim kept an admin user account on at least some of its clients systems, Op Innovate found. By hijacking this admin account, the attackers were able to access numerous organizations by using their VPN [virtual private network] that relied on the Michlol CRM [customer relationship management], potentially compromising the security of these institutions and putting their data at risk, the IR and consulting firm wrote in its report.
Stronger authentication controls would normally offer a barrier against this kind of attack, but Rashid relied on email-based authentication. So after the attackers compromised Rashims Microsoft Office365 infrastructure as part of a wider attack targeting its databases and other systems, email authentication fell apart as a defense.
On March 4, four months after the initial breach, Lord Nemesis used its access to Rashims internal Office365 infrastructure to send the software companys clients, colleagues, and partners a message from the companys email account announcing that it had full access to Rashims infrastructure.
The
Iran-based hacktivists
separately uploaded videos that purportedly document how they were able to delete branches from Rashims databases. They also leaked personal videos and images of Rashims CEO in an apparent attempt to harass and intimidate the company.
Lord Nemesis, also known as Nemesis Kitten, initially emerged in late 2023, and the Rashim breach represents the newly formed groups first significant cyberattack.
Roy Golombick, CMO at Op Innovate, told Dark Reading that exactly how the attackers first gained entry to Rashim Softwares systems remains confidential due to an ongoing investigation into the incident.
Golombick shared some details of the hacktivists tradecraft, however. The group used a known malicious IP from a local proxy server to Israel, thus overriding geo-blocking. This IP provided our research team with a valuable IOC [indicator of compromise] to identify access attempts, Golombick explained.
Op Innovate was able to confirm that Lord Nemesis operatives had successfully hijacked the admin account of Rashim Software, which held privileged access to the institutes student CRM system.
Exploiting these elevated credentials, the attackers connected to the institutes VPN outside of regular business hours and initiated data exfiltration, according to Op Innovates report.
Log analysis revealed that the attackers had targeted servers and databases, including a SQL server containing sensitive student data. However, Op Innovate was unable to find definitive proof that personal student data was stolen as a result of the attack, but nonetheless concluded that such sensitive information likely was exposed.
The cyberattack appears limited to entities in Israel. To our knowledge, and based on the attacker groups Telegram channel, it appears that the attack specifically targets Israeli organizations, Golombick says.
The attack illustrates the risk to organizations stemming from their reliance on third-party vendors and partners. Rather than hitting a targeted organization directly, attackers are increasingly finding it easier to breach software or technology suppliers through
supply chain attacks
that provide them a steppingstone to multiple prospective victim networks.
Golombick compared the attack on Rashim and its customers to the earlier
Pay2Key
campaign launched against the Israeli shipping and logistics sector in December 2020. Both incidents illustrate the importance of taking proactive steps to minimize supply chain risk.
This includes implementing MFA [multi-factor authentication] on all users, not least those used by third party vendors, and monitoring accounts for suspicious behavior such as out-of-hours activity and other red flags, Golombick advises.
Not surprisingly, he also recommends having a reputable IR firm on retainer to ensure swift response to make those early critical hours count, he says.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Israeli Universities Hit by Supply Chain Cyberattack Campaign