New analysis has linked the operations of a politically motivated hacktivist group often called Moses Staff to a different nascent risk actor named Abraham’s Ax that emerged in November 2022.
This relies on “a number of commonalities throughout the iconography, videography, and leak websites utilized by the teams, suggesting they’re possible operated by the identical entity,” Secureworks Counter Threat Unit (CTU) stated in a report shared with The Hacker News.
Moses Staff, tracked by the cybersecurity agency below the moniker Cobalt Sapling, made its first look on the risk panorama in September 2021 with the aim of primarily focusing on Israeli organizations.
The geopolitical group is believed to be sponsored by the Iranian authorities and has since been linked to a string of espionage and sabotage assaults that make use of instruments like StrifeWater RAT and open supply utilities akin to DiskCryptor to reap delicate info and lock sufferer information on contaminated hosts.
The crew can also be identified to keep up a leak website that is used to distribute information stolen from their victims and disseminate their messaging, which incorporates “exposing the crimes of the Zionists in occupied Palestine.”
Now in keeping with Secureworks’ evaluation, “the Abraham’s Ax persona is being utilized in tandem to assault authorities ministries in Saudi Arabia” and that “that is possible in response to Saudi Arabia’s management function in enhancing relations between Israel and Arab nations.”
For its half, Abraham’s Ax claims to be working on behalf of the Hezbollah Ummah regardless of no proof to again it up. Hezbollah, which implies “Party of Allah” in Arabic, is a Lebanese Shia Islamist political social gathering and militant group that is sponsored by Iran.
The placing overlaps within the modus operandi additional increase the chance that the operators behind Abraham’s Ax are possible leveraging the identical customized malware which acts as a cryptographic wiper to encrypt information with out providing a way to get better the info.
What’s extra, each actors are united of their motivations in that they function with out a monetary incentive, with the intrusions taking a extra disruptive tone. The connections between the 2 teams can also be evidenced by the very fact the WordPress-based leak websites had been hosted in the identical subnet within the early phases.
“Iran has a historical past of utilizing proxy teams and manufactured personas to focus on regional and worldwide adversaries,” Rafe Pilling, Secureworks principal researcher, stated in a press release.
“Over the final couple of years an rising variety of felony and hacktivist group personas have emerged to focus on perceived enemies of Iran whereas offering believable deniability to the Government of Iran relating to affiliation or duty for these assaults. This pattern is more likely to proceed.”