A new study traces the activities of a politically motivated hacktivist group known as the Moses Staff to abraham’s ax Coming in November 2022.
In a report shared with The Hacker News, the Secureworks Counter Threat Unit (CTU) said, “The iconography, videos, and leak sites used by these groups have several things in common, and they may be operated by the same organization. It suggests that there is a high degree of
Moses staff, tracked by a cybersecurity firm under the name Cobalt Sapling, first appeared in the threat landscape in September 2021, primarily with the aim of targeting Israeli organizations.
The geopolitical group, believed to be sponsored by the Iranian government, utilizes tools such as StrifeWater RAT and open source utilities such as DiskCryptor to gather sensitive information and lock victim data to those infected. associated with a series of espionage and sabotage attacks. host.
It is also known that the crew maintains leak sites that are used to disseminate data stolen from victims and spread messages including “exposing Zionist crimes in occupied Palestine.” It is
According to a Secureworks analysis, “Abraham’s ax persona has been used in concert to attack Saudi government ministries,” and that “this is an indication of Saudi Arabia’s role in improving relations between Israel and Arab countries.” likely correspond to leadership roles in
Abraham’s Ax claims to be acting on behalf of the Hezbollah Ummah, despite the lack of evidence to support it. Hezbollah, which means “Party of Allah” in Arabic, is a Lebanese Shia Islamist political party and an Iran-backed extremist group.
The significant overlap in modus operandi makes it even more likely that the operators behind Abraham’s Ax are utilizing the same custom malware that acts as a crypto wiper to encrypt data without providing any means of recovering it. increase.
Additionally, both actors are aligned in their motives in that they operate without financial incentives, making the intrusion a more destructive tone. The link between the two groups is also evidenced by the fact that the WordPress-based leak site was hosted on the same subnet in the early days.
“Iran has a history of using proxy groups and fabricated personas to target regional and international adversaries,” Rafe Pilling, principal investigator at Secureworks, said in a statement.
“While the past few years have seen an increase in the number of personas of criminals and hacktivist groups targeting those considered enemies of Iran, there have been plausible denials by the Iranian government of involvement in or responsibility for these attacks. and this trend is likely to continue.”
