SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Secureworks finds Iranian threat group back with new persona
Wed, 1st Feb 2023
FYI, this story is more than a year old

Secureworks has found that the Iranian threat group, Cobalt Sapling, has reemerged with a new persona, Abraham's Ax.

The finding comes as part of Secureworks' Counter Threat Unit's latest analysis, which identifies that Abraham's Ax is linked to Moses Staff, a known Cobalt Sapling Hacktivist persona.

Moses Staff, which has been operating since September 2021, is known to target Israeli organisations, stealing and leaking their sensitive data.

Moses Staff describes themselves as an anti-Israeli and pro-Palestinian threat group aiming solely to harass and disrupt Israeli companies.

The CTU's analysis suggests Abraham's Ax is being used in tandem to attack government ministries in Saudi Arabia.

The company suggests both personas are linked to Cobalt Sapling and that this is likely in response to Saudi Arabia's leadership role in improving relations between Israel and Arab nations.

Abraham's Ax emerged in November 2022, according to the CTU.

Although not directly replacing Moses Staff, the CTU says this group has very similar iconography, videography and leak sites.

Further, both groups depict similar images in their logos.

The Abraham's Ax logo shows a clenched fist extended from a sleeve holding an axe, while Moses Staff depicts a clenched fist holding a staff.

Both groups also use WordPress blogs as a basis for their leak sites, including religious quotes throughout their site.

Abraham's Ax and Moses Staff have also both made and released videos as part of their operations, with repeated iconography clearly showing up in both groups' content.

Based on these similarities with Moses Staff, the CTU says it is plausible that the threat actors responsible for creating Abraham's Ax use the same custom malware, which acts as a cryptographic wiper, encrypting data without an offer from the group to release keys in exchange for payments.

The group intentionally makes its intent vague, using criminal and hacktivist-style tactics to operate without a clear profit motive.

The CTU says what is clear is that these attacks are politically motivated and focused on disrupting and intimidating.

"There are clear political motivations behind this group with information operations designed to destabilise delicate Israeli-Saudi Arabian relations, particularly as Saudi Arabia continues talks with Israel on normalising relations," says Rafe Pilling, Principal Researcher, Secureworks Counter Threat Unit.

"Iran has a history of using proxy groups and manufactured personas to target regional and international adversaries.

"Over the last couple of years, an increasing number of criminal and hacktivist group personas have emerged to target perceived enemies of Iran while providing plausible deniability to the Government of Iran regarding association or responsibility for these attacks.

"This trend is likely to continue."