Israel announces Iran, Hezbollah were behind Ziv Hospital cyber attack

Hackers succeeded at breaking through information security systems to access sensitive personal details.

Iranian flag and cyber code [Illustrative] (photo credit: PIXABAY)
Iranian flag and cyber code [Illustrative]
(photo credit: PIXABAY)

The Israel National Cyber Directorate on Monday named Iran and Hezbollah as responsible for the cyberattack last month against Safed’s Ziv Medical Center. The directorate said that the goal was not only to obstruct the hospital’s operations, but to damage Israel’s general resilience mid-war, particularly while hospitals are overloaded with patients.

The INCD identified the hacker group as AGRIUS, which is connected to the Iranian Intelligence Ministry, and which used Lebanese Cedar, a group linked to Hezbollah. Mohammed Ali Marai was identified as the lead operator for the Hezbollah hacking group.

The hack was partially successful; hackers succeeded at breaking into the hospital’s information systems to access patients’ sensitive, personal details, and then they released this data online.

However, the hospital and INCD succeeded in blocking the hackers from interfering with the hospital’s general operations.

  Ziv Medical Center (credit: ZIV MEDICAL CENTER)
Ziv Medical Center (credit: ZIV MEDICAL CENTER)

Although there was a temporary period in which the hospital disconnected from many of its electronic services, relying on traditional backup systems for keeping ongoing records instead, none of the healthcare facility’s actual medical equipment was compromised at any point.

The fight over personal data

The directorate added that its previously obtained court order, prohibiting publicizing any of the stolen personal data on any websites which Israel has sovereignty over, remains in force, and that it succeeded in compelling sites to take down some of the personal data shortly after the information was published.

The INCD did not explain why the hackers prevailed in penetrating the hospital’s information security systems, or what the damage impact assessment was on the data that had already been leaked.

Close to the directorate’s announcement, and in a not-so-secretive presumed response from Israel to Iran, a hacktivist group called the Predatory Sparrow (Gonjeshke Darande in Persian) claimed that it had disabled the majority of gas stations across Iran in a cyberattack on Monday.

“We, Gonjeshke Darande, carried out another cyberattack today, taking out a majority of the gas pumps throughout Iran. This cyberattack comes in response to the aggression of the Islamic Republic and its proxies in the region. [Iranian Supreme Leader Ali] Khamenei, playing with fire has a price,” the group wrote in a statement.

“A month ago, we warned you that we’re back and that we will impose cost [sic] for your provocations. This is just a taste of what we have in store,” added the group, attaching screenshots of documents they claimed to have acquired from the affected gas stations’ servers.


Stay updated with the latest news!

Subscribe to The Jerusalem Post Newsletter


The hacktivist group has previously claimed responsibility for cyberattacks targeting gas stations, the railway system, and steel plants in Iran.

Iran has accused the Mossad of being connected to some of these cyberattacks, and some Israeli officials have unofficially confirmed the Jewish state’s involvement in some of them – off the record.

Jerusalem Post Staff contributed to this report.