Iranian APT Leaks Data From Saudi Arabia Government Under New Persona

The Iran-linked advanced persistent threat (APT) actor known as Moses Staff is leaking data stolen from Saudi Arabia government ministries using a recently created online persona.

Also referred to as Cobalt Sapling, Moses Staff has been likely active since November 2020, but its existence was not revealed until September 2021.

A declared anti-Israeli and pro-Palestinian group, the APT has posted on its leaks website 16 activities as of December 2022, mainly consisting of data stolen from Israeli companies, or the personal information of individuals affiliated with an Israeli intelligence unit of the Israel Defense Forces.

The group was previously linked to the use of the PyDCrypt custom loader, the DCSrv cryptographic wiper that encrypts data and displays a bootloader message, the StrifeWater remote access trojan (RAT), and the DriveGuard auxiliary tool deployed to monitor the RAT’s execution.

In November 2022, a seemingly new hacktivist group claiming affiliation to the Hezbollah Ummah Lebanese Shia Islamist political party and militant group announced their existence under the Abraham’s Ax name, but Secureworks believes that this new persona is operated by Cobalt Sapling, the same APT that operates Moses Staff.

Connections between the two groups, the cybersecurity firm says, are plenty, starting with the use of a similar logo, similarities in leak sites (both of which have Tor versions), and the hosting of these sites on the same subnet, nearly adjacent to each other.

Like Moses Staff, Abraham’s Ax uses a biblical figure for their persona, and their claimed affiliation to Hezbollah has yet to be proven, Secureworks says.

As part of their activities, both groups have released videos, often depicting “Hollywood-style hacking involving satellites, CCTV, 3D building models, and fast scrolling through documents allegedly stolen as part of their operations”.

The videos show repetition and evolution of visual themes, with Abraham’s Ax reusing stock video elements from Moses Staff, with additional visual embellishments on top.

To date, Abraham’s Ax has leaked data allegedly stolen from Saudi Arabia’s Ministry of the Interior and a video purportedly depicting an intercepted phone conversation between Saudi Arabian government ministers.

“Rather than attacking Israel directly, Abraham’s Ax attacks government ministries in Saudi Arabia. […] The group may be attacking Saudi Arabia in response to Saudi Arabia’s leadership role in improving relationships between Israel and Arab nations,” Secureworks notes.

The cybersecurity firm also notes that Abraham’s Ax does not appear to replace the Moses Staff persona, which has remained active, claiming in late November the hack of a CCTV system monitoring the site of a terrorist attack in Israel.

“Malware and technical indicators from Abraham’s Ax operations have not been identified. Assuming that both personas are operated by Cobalt Sapling, it is plausible that the threat actors use the same tools and techniques in their intrusions,” Secureworks notes.

Related: UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies

Related: Iranian Hackers Deliver New ‘Fantasy’ Wiper to Diamond Industry via Supply Chain Attack

Related: Religious Minority Persecuted in Iran Targeted With Sophisticated Android Spyware