A threat actor known as Cobalt Sapling has been spotted targeting Saudi Arabia for political influence by creating a new persona called “Abraham’s Axe”.
The findings are from cybersecurity experts. of Secureworks The Counter Threat Unit (CTU) released a new threat advisory earlier today.
In a report shared with Information security Secureworks wrote in an email that the emergence of Abraham’s Ax and attacks on Saudi government ministries underscore its political objectives.
Rafe Pilling, principal investigator at Secureworks CTU, said: “There is a clear political motive behind this group to carry out information operations aimed at destabilizing the delicate relationship between Israel and Saudi Arabia. , as Saudi Arabia continues talks to normalize relations with Israel.”
In addition, security researchers noticed Abraham’s Ax reflects the iconography, videography, and leak site of another threat actor known as Moses Staff. Both groups use similar logos and WordPress blogs as vehicles for their leaked sites.
Both threat actors also appear to rely on the same custom malware, a crypto wiper that encrypts data without offering to release the keys in exchange for payment.
At the same time, Secureworks realized that Abraham’s Ax persona did not appear to have directly replaced Moses Staff. The latter group’s leak site and his Telegram channel remained active after the emergence of Moses Staff.
“Iran has a history of using proxy groups and fabricated personas to target regional and international adversaries,” Pilling added.
“While the past few years have seen an increase in the number of personas of criminals and hacktivist groups targeting those considered enemies of Iran, there have been plausible denials by the Iranian government of involvement in or responsibility for these attacks. and this trend is likely to continue.”
To mitigate exposure to this malware, the Secureworks team recommended that organizations use available controls to review and restrict access using the metrics listed in the advisory.
Its publication will take place in a few hours after the UK National Cyber Security Center (NCSC). Warning against spear phishing attacks By Russian and Iranian attackers, including Cobalt Sapling’s Abraham’s Ax.
