{ "id": "4229f3f4-9bab-4581-8ebf-1a35a5ab4b90", "created_at": "2026-04-06T00:13:28.084374Z", "updated_at": "2026-04-10T03:31:41.347605Z", "deleted_at": null, "sha1_hash": "67554dd9abb95e95a3e342e8f76306e444d4fdc5", "title": "Lord Nemesis Strikes: Supply Chain Attack on the Israeli Academic Sector - OP INNOVATE", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1239532, "plain_text": "Lord Nemesis Strikes: Supply Chain Attack on the Israeli\r\nAcademic Sector - OP INNOVATE\r\nBy Roy Golombick\r\nPublished: 2024-03-07 · Archived: 2026-04-05 23:41:56 UTC\r\n“Lord Nemesis Strikes: Supply Chain Attack on the Israeli Academic Sector\r\nThe Iranian hacktivist group Lord Nemesis, also known as ‘Nemesis Kitten’, which emerged onto the cyber scene\r\nin late 2023, has previously declared its intention to target Israeli-based organizations. One of this Iranian funded\r\nhacking group’s goal is to instill fear in their victims. From the dramatic website portraying a malicious looking\r\ndark lord to their way of action which entails hacking silently, downloading data and slowly releasing findings to\r\nthe global web whilst sending warning messages to their victims about future actions. The damage they cause ,\r\nwhilst on the technical front a concern to any organization – can be reduced by understanding that panic is part of\r\ntheir goals and reduce the reaction to their activity.\r\nFrom their dramatic website, which features a sinister-looking dark lord, to their modus operandi, which involves\r\nsilently infiltrating networks, exfiltrating data, and gradually releasing their findings to the global web, the group’s\r\nactions are calculated to maximize the psychological impact on their victims. By sending ominous warning\r\nmessages about future actions, Lord Nemesis aims to create an atmosphere of uncertainty and anxiety among their\r\ntargets.\r\nhttps://op-c.net/blog/lord-nemesis-strikes-supply-chain-attack-on-the-israeli-academic-sector/\r\nPage 1 of 9\n\nFigure 1: Image on LordNemesis website\r\nThe group’s first significant success came in late November 2023 when they claimed responsibility for breaching\r\nRashim Software, a leading provider of academic administrations and training management software solutions in\r\nIsrael. Lord Nemesis allegedly used the credentials obtained from the Rashim breach to infiltrate several of the\r\ncompany’s clients, including numerous academic institutes.\r\nhttps://op-c.net/blog/lord-nemesis-strikes-supply-chain-attack-on-the-israeli-academic-sector/\r\nPage 2 of 9\n\nFigure 2: Rashim Customers\r\nRashim Software Ltd. is a prominent player in the Israeli market, offering a wide range of software solutions to\r\nuniversities and colleges. One of their key products is a student CRM called Michlol, which is widely used by\r\nacademic institutions across the country.\r\nAccording to Lord Nemesis, they managed to gain complete access to Rashim’s infrastructure and exploited this\r\naccess to send an email to over 200 of Rashim’s customers and colleagues. The group claims to have obtained\r\nsensitive information during the breach, which they may use for further attacks or to exert pressure on the affected\r\norganizations.\r\nhttps://op-c.net/blog/lord-nemesis-strikes-supply-chain-attack-on-the-israeli-academic-sector/\r\nPage 3 of 9\n\nhttps://op-c.net/blog/lord-nemesis-strikes-supply-chain-attack-on-the-israeli-academic-sector/\r\nPage 4 of 9\n\nFigure 3: List of Rashim databases before deletion\r\nOne of the critical factors that allowed Lord Nemesis to extend its attack beyond Rashim was the company’s\r\npractice of maintaining an admin user account on some of its customer systems. By hijacking this admin account,\r\nthe attackers were able to access numerous organizations by using their VPN that relied on the Michlol CRM,\r\npotentially compromising the security of these institutions and putting their data at risk.\r\nIn some cases, the multi-factor authentication (MFA) implemented by Rashim proved inadequate in defending\r\nagainst the malicious actor. The attacker managed to circumvent the MFA by compromising Rashim’s Office365\r\ninfrastructure, which served as the basis for the email-based authentication.\r\nTo instill fear in his victims and demonstrate the extent of his access, “Lord Nemesis,” contacted a list of Rashim’s\r\nusers and colleagues via Rashim’s email system on March 4th. This communication occurred four months after\r\nthe initial breach of Rashim’s infrastructure, highlighting the attacker’s prolonged presence within the system.\r\nFigure 4. LordNemesis message to customers and colleagues of Rashim.\r\nLord Nemesis, in an unusual move for a hacktivist group, provided an accurate description of the attack in an\r\nonline post. This demonstrates their direct involvement and desire for public attribution, setting this incident apart\r\nfrom financially-motivated attacks typically carried out by cybercriminals.\r\nhttps://op-c.net/blog/lord-nemesis-strikes-supply-chain-attack-on-the-israeli-academic-sector/\r\nPage 5 of 9\n\nOur incident response team was called to assist one of the victims, an Israeli academic institute, in the wake of the\r\nbreach. The initial investigation confirmed that Lord Nemesis operatives had successfully hijacked the admin\r\naccount of Rashim Software Ltd., which held privileged access to the institute’s student CRM system. Exploiting\r\nthese elevated credentials, the attackers connected to the institute’s VPN outside of regular business hours and\r\ninitiated data exfiltration.\r\nA thorough examination of the logs revealed that the attackers had specifically targeted critical servers and\r\ndatabases, with a particular focus on the SQL server containing sensitive student information. Although conclusive\r\nevidence of data theft was not found, our incident response team assessed a high probability that personal student\r\ndata had been extracted during the attack.\r\nAttack Highlights Third-Party Risk\r\nThe incident highlights the significant risks posed by third-party vendors and partners (supply chain attack). By\r\nsuccessfully compromising Rashim’s admin account, the Lord Nemesis group effectively circumvented the\r\nsecurity measures put in place by numerous organizations, granting themselves elevated privileges and\r\nunrestricted access to sensitive systems and data.\r\nOur investigation into the attack revealed that the perpetrators likely possessed prior knowledge and familiarity\r\nwith both Rashim’s infrastructure and its customers’ IT environments. This allowed the attackers to swiftly\r\nidentify and compromise critical systems with minimal probing or enumeration, indicating a level of\r\nsophistication and planning that goes beyond typical opportunistic attacks.\r\nVideo of Lord Nemesis deleting databases from Rashim server.\r\nStrengthening Defenses Against Hacktivists\r\nhttps://op-c.net/blog/lord-nemesis-strikes-supply-chain-attack-on-the-israeli-academic-sector/\r\nPage 6 of 9\n\nThe attack carried out by Lord Nemesis indicates that they may have compromised Rashim’s systems well in\r\nadvance, using the intervening time to perform reconnaissance and planning. This theory is supported by the lack\r\nof widespread scanning or probing activity during the attack, as the group appeared to have a clear understanding\r\nof their targets and objectives didn’t trigger any alerts once they accessed the victims infrastructure as they worked\r\nunder the radar acting as a legitimate user.\r\nNation-state hackers vs. limited-resource companies\r\nThis attack highlights the growing threat of nation-state actors targeting smaller, resource-limited companies as a\r\nmeans to further their geopolitical agendas. In this case, Iran, a well-known sponsor of cyber terrorism, has set its\r\nsights on Israeli organizations, seeking to disrupt operations, steal sensitive data, and sow fear within the cyber\r\ndomain. The attackers went as far as leaking personal videos and images of Rashim’s CEO, demonstrating their\r\nwillingness to employ any means necessary to intimidate and harass their targets.\r\nFigure 5. Snapshot of private video of Rashim CEO published by LordNemesis\r\nThis incident is a clear example of a David vs. Goliath scenario, where smaller companies like Rashim find\r\nthemselves pitted against the vast resources and capabilities of a nation-state. It is highly unlikely that a single\r\nindividual orchestrated this attack; rather, it bears the hallmarks of a coordinated effort by a well-organized group\r\nwith significant backing and support.\r\nUnlike financially motivated cybercriminals, the attackers, in this case, were not driven by the prospect of\r\nmonetary gain. Instead, their actions align with the goals of a terror attack, aiming to undermine the sense of\r\nsecurity and stability within the targeted organizations and, by extension, the wider Israeli society. \r\nIn the face of such daunting odds, it is crucial for companies like Rashim and their clients to have access to expert\r\nassistance when dealing with the aftermath of a cyber attack. This is where firms like OP Innovate play a vital\r\nrole, providing the knowledge, experience, and resources needed to investigate, contain, and remediate the\r\nhttps://op-c.net/blog/lord-nemesis-strikes-supply-chain-attack-on-the-israeli-academic-sector/\r\nPage 7 of 9\n\nincident. By acting swiftly and decisively, OP Innovate was able to uncover the extent of the compromise, assess\r\nthe potential impact, and guide the affected organization (Academic Institute) towards a path of recovery.\r\nVideo of Lord Nemesis revealing the SQL password.\r\nThe implications of this attack extend far beyond the Israeli academic institutes that engaged our incident response\r\nteam. The fact that a single compromised admin account at a third-party vendor could lead to the breach of\r\nmultiple organizations highlights the urgent need for more robust vendor risk management practices and increased\r\nscrutiny of third-party access privileges.\r\nOrganizations must recognize that their security posture is only as strong as the weakest link in their supply chain.\r\nConducting thorough due diligence on vendors, implementing strict access controls, multi-factor authentication\r\n(to mobile), Just in time access, and continuously monitoring third-party activity should be prioritized to mitigate\r\nthe risk of cascading breaches originating from trusted partners.\r\nFurthermore, the attack demonstrates the evolving nature of the threat landscape, with hacktivist groups like Lord\r\nNemesis increasingly targeting organizations for ideological and political purposes. As such, organizations must\r\nremain vigilant and proactive in their cybersecurity efforts, staying abreast of emerging threats and implementing\r\nadaptive security measures to safeguard their assets and data.\r\nIn response to the attack, OP Innovate has provided a number of our customers with a series of recommendations\r\nto bolster their cyber defenses and reduce their third-party attack surface. Key measures include deploying EDR\r\nacross endpoints, enforcing MFA, limiting vendor access privileges, upgrading legacy systems, mapping all of the\r\nexternal assets (ASM), and conducting regular internal infrastructure and external penetration testing.\r\nWhile the unique motivations of hacktivist groups like Lord Nemesis can make deterrence challenging, improving\r\nthe institute’s overall security posture can help minimize damages and hasten recovery in the event of future\r\nincidents. As geopolitical tensions continue to rise, organizations must remain vigilant against hacktivists seeking\r\nto advance their cause through disruptive cyber attacks.\r\nAttackers IOCs for FW block:\r\n45.150.108.242\r\n195.20.17.128\r\n195.20.17.171\r\nTimeline analysis \r\n1. 30/11/23 – Attacker gained access to Rashim CEO (Ron Hary) \r\n2. 04/12/23 – Attacker sent videos portraying the attacker using Ron’s user to access emails and meetings (on\r\nteams) \r\n3. 13/01/2024 – 1st\r\n academic institute noticed malicious access using Rashim VPN credentials. MFA\r\nbypassed using access to Rashim email\r\n4. 13/02/2024 – 2nd\r\n academic institute noticed malicious access using Rashim VPN credentials\r\n5. 23/02/24 – 3rd\r\n academic institute noticed malicious access using Rashim VPN credentials\r\n6. 03/03/24 – Lord Nemesis publish his acts on Rashim network, prove his deletion of the SQL DB\r\nhttps://op-c.net/blog/lord-nemesis-strikes-supply-chain-attack-on-the-israeli-academic-sector/\r\nPage 8 of 9\n\n7. 04/03/24 – Lord nemesis contacts all Rashim customers via Rashim domain user and ‘warns’ of future\r\nactivities.\r\n8. 04/03/24 – Lord Nemesis targets Academic institutes and leaks sensitive information claimed to be\r\nexfiltrated from their DB\r\n9. We know about at least 2 more victims that the details about the attacker activities are disclosed \r\nFigure 6 – Lord Nemesis Attack Timeline\r\nSource: https://op-c.net/blog/lord-nemesis-strikes-supply-chain-attack-on-the-israeli-academic-sector/\r\nhttps://op-c.net/blog/lord-nemesis-strikes-supply-chain-attack-on-the-israeli-academic-sector/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://op-c.net/blog/lord-nemesis-strikes-supply-chain-attack-on-the-israeli-academic-sector/" ], "report_names": [ "lord-nemesis-strikes-supply-chain-attack-on-the-israeli-academic-sector" ], "threat_actors": [ { "id": "6b4a82e8-21f1-4bc7-84cf-e27334998b48", "created_at": "2022-10-25T16:07:23.84296Z", "updated_at": "2026-04-10T02:00:04.762229Z", "deleted_at": null, "main_name": "DEV-0270", "aliases": [ "DEV-0270", "DireFate", "Lord Nemesis", "Nemesis Kitten", "Yellow Dev 23", "Yellow Dev 24" ], "source_name": "ETDA:DEV-0270", "tools": [ "Impacket", "LOLBAS", "LOLBins", "Living off the Land", "WmiExec" ], "source_id": "ETDA", "reports": null }, { "id": "eaef3218-1f8c-4767-b1ff-da7a6662acc0", "created_at": "2023-03-04T02:01:54.110909Z", "updated_at": "2026-04-10T02:00:03.359871Z", "deleted_at": null, "main_name": "DEV-0270", "aliases": [ "Nemesis Kitten", "Storm-0270" ], "source_name": "MISPGALAXY:DEV-0270", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7", "created_at": "2025-08-07T02:03:24.764883Z", "updated_at": "2026-04-10T02:00:03.611225Z", "deleted_at": null, "main_name": "COBALT MIRAGE", "aliases": [ "DEV-0270 ", "Nemesis Kitten ", "PHOSPHORUS ", "TunnelVision ", "UNC2448 " ], "source_name": "Secureworks:COBALT MIRAGE", "tools": [ "BitLocker", "Custom powershell scripts", "DiskCryptor", "Drokbk", "FRPC", "Fast Reverse Proxy (FRP)", "Impacket wmiexec", "Ngrok", "Plink", "PowerLessCLR", "TunnelFish" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434408, "ts_updated_at": 1775791901, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/67554dd9abb95e95a3e342e8f76306e444d4fdc5.pdf", "text": "https://archive.orkl.eu/67554dd9abb95e95a3e342e8f76306e444d4fdc5.txt", "img": "https://archive.orkl.eu/67554dd9abb95e95a3e342e8f76306e444d4fdc5.jpg" } }