Recent findings have established a connection between the politically driven hacktivist group known as Moses Staff and a newly emerging threat actor referred to as Abraham’s Ax, which appeared on the cybersecurity radar in November 2022. This assessment is grounded in shared elements in iconography, video content, and leak sites utilized by both groups, indicating that they may be managed by the same organization, as reported by Secureworks’ Counter Threat Unit (CTU).
Identified as Cobalt Sapling, Moses Staff first surfaced in September 2021, aiming primarily at Israeli entities. The group is widely believed to have state support from Iran and has been attributed to various espionage and sabotage operations, deploying tools like StrifeWater RAT and other open-source applications such as DiskCryptor. These tools are designed for gathering sensitive information and encrypting data from compromise targets.
Moreover, Moses Staff operates a leak site that disseminates information extracted from victims while presenting a narrative aimed at highlighting what it perceives as the misdeeds of Zionist entities in occupied territories. Recent analyses from Secureworks suggest that Abraham’s Ax is currently executing attacks against government ministries in Saudi Arabia as a counteraction to the nation’s recent collaborations with Israel.
This response is part of broader geopolitical tensions, particularly concerning Saudi Arabia’s evolving ties with Israel in the wake of improved diplomatic relations among Arab nations. Notably, Abraham’s Ax has claimed to function on behalf of Hezbollah’s Ummah, even though there is no substantial evidence supporting this assertion. Hezbollah, a Lebanese Shia Islamist entity, operates with substantial Iranian backing.
Significant overlap in operational methods raises the possibility that both groups may be utilizing similar custom malware designed as a cryptographic wiper, effectively encrypting data and rendering it irrecoverable for victims. The alignment in their objectives may suggest a shared ideology where financial gain is secondary, with both parties favoring disruptive impacts over monetary rewards.
Evidence of their interconnectedness also surfaces in the hosting of WordPress-based leak sites within the same subnet during initial activities. However, it appears that Abraham’s Ax does not intend to replace Moses Staff, which has remained active and claimed to have compromised a surveillance system linked to a terrorist attack in Israel in late November 2022.
As noted by Rafe Pilling from Secureworks, Iranian strategies frequently involve leveraging proxy groups and fabricated identities to confront regional adversaries, providing the Iranian government with plausible deniability regarding involvement in these actions. Over recent years, the proliferation of criminal and hacktivist personas aimed at targeting perceived enemies of Iran has been noted, a trend that is expected to persist.
