New research has linked the operations of a politically motivated hacktivist group known as Moses Staff to another nascent threat actor named Abraham’s Ax that emerged in November 2022.
This is based on “several commonalities across the iconography, videography, and leak sites used by the groups, suggesting they are likely operated by the same entity,” Secureworks Counter Threat Unit (CTU) said in a report shared with The Hacker News.
Moses Staff, tracked by the cybersecurity firm under the moniker Cobalt Sapling, made its first appearance on the threat landscape in September 2021 with the goal of primarily targeting Israeli organizations.
The geopolitical group is believed to be sponsored by the Iranian government and has since been linked to a string of espionage and sabotage attacks that make use of tools like StrifeWater RAT and open source utilities such as DiskCryptor to harvest sensitive information and lock victim data on infected hosts.
The crew is also known to maintain a leak site that’s used to distribute data stolen from their victims and disseminate their messaging, which includes “exposing the crimes of the Zionists in occupied Palestine.”
Now according to Secureworks’ analysis, “the Abraham’s Ax persona is being used in tandem to attack government ministries in Saudi Arabia” and that “this is likely in response to Saudi Arabia’s leadership role in improving relations between Israel and Arab nations.”
For its part, Abraham’s Ax claims to be operating on behalf of the Hezbollah Ummah despite no evidence to back it up. Hezbollah, which means “Party of Allah” in Arabic, is a Lebanese Shia Islamist political party and militant group that’s sponsored by Iran.
The striking overlaps in the modus operandi further raise the possibility that the operators behind Abraham’s Ax are likely leveraging the same custom malware which acts as a cryptographic wiper to encrypt data without offering a means to recover the data.
What’s more, both actors are united in their motivations in that they operate without a financial incentive, with the intrusions taking a more disruptive tone. The connections between the two groups is also evidenced by the fact the WordPress-based leak sites were hosted in the same subnet in the early stages.
“Iran has a history of using proxy groups and manufactured personas to target regional and international adversaries,” Rafe Pilling, Secureworks principal researcher, said in a statement.
“Over the last couple of years an increasing number of criminal and hacktivist group personas have emerged to target perceived enemies of Iran while providing plausible deniability to the Government of Iran regarding association or responsibility for these attacks. This trend is likely to continue.”