{"id":16735,"date":"2023-01-27T14:32:34","date_gmt":"2023-01-27T13:32:34","guid":{"rendered":"https:\/\/www.show.it\/iranian-apt-leaks-data-from-saudi-arabia-government-under-new-persona\/"},"modified":"2023-01-27T14:32:34","modified_gmt":"2023-01-27T13:32:34","slug":"iranian-apt-leaks-data-from-saudi-arabia-government-under-new-persona","status":"publish","type":"post","link":"https:\/\/www.show.it\/en\/iranian-apt-leaks-data-from-saudi-arabia-government-under-new-persona\/","title":{"rendered":"Iranian APT Leaks Data From Saudi Arabia Government Under New Persona"},"content":{"rendered":"<p><strong>The Iran-linked advanced persistent threat (APT) actor known as Moses Staff is leaking data stolen from Saudi Arabia government ministries using a recently created online persona.<\/strong><\/p>\n<p>Also referred to as Cobalt Sapling,<a href=\"https:\/\/www.securityweek.com\/newly-detected-strifewater-rat-linked-iranian-apt\/\" target=\"_blank\" rel=\"noreferrer noopener\"> Moses Staff<\/a> has been likely active since November 2020, but its existence was not revealed until September 2021.<\/p>\n<p>A declared anti-Israeli and pro-Palestinian group, the APT has posted on its leaks website 16 activities as of December 2022, mainly consisting of data stolen from Israeli companies, or the personal information of individuals affiliated with an Israeli intelligence unit of the Israel Defense Forces.<\/p>\n<p>The group was previously linked to the use of the PyDCrypt custom loader, the DCSrv cryptographic wiper that encrypts data and displays a bootloader message, the StrifeWater remote access trojan (RAT), and the DriveGuard auxiliary tool deployed to monitor the RAT\u2019s execution.<\/p>\n<p>In November 2022, a seemingly new hacktivist group claiming affiliation to the Hezbollah Ummah Lebanese Shia Islamist political party and militant group announced their existence<a href=\"https:\/\/www.secureworks.com\/blog\/abrahams-ax-likely-linked-to-moses-staff\" target=\"_blank\" rel=\"noreferrer noopener\"> under the Abraham\u2019s Ax name<\/a>, but Secureworks believes that this new persona is operated by Cobalt Sapling, the same APT that operates Moses Staff.<\/p>\n<p>Connections between the two groups, the cybersecurity firm says, are plenty, starting with the use of a similar logo, similarities in leak sites (both of which have Tor versions), and the hosting of these sites on the same subnet, nearly adjacent to each other.<\/p>\n<p>Like Moses Staff, Abraham\u2019s Ax uses a biblical figure for their persona, and their claimed affiliation to Hezbollah has yet to be proven, Secureworks says.<\/p>\n<p>As part of their activities, both groups have released videos, often depicting \u201cHollywood-style hacking involving satellites, CCTV, 3D building models, and fast scrolling through documents allegedly stolen as part of their operations\u201d.<\/p>\n<p>The videos show repetition and evolution of visual themes, with Abraham\u2019s Ax reusing stock video elements from Moses Staff, with additional visual embellishments on top.<\/p>\n<p>To date, Abraham\u2019s Ax has leaked data allegedly stolen from Saudi Arabia\u2019s Ministry of the Interior and a video purportedly depicting an intercepted phone conversation between Saudi Arabian government ministers.<\/p>\n<p>\u201cRather than attacking Israel directly, Abraham\u2019s Ax attacks government ministries in Saudi Arabia. [\u2026] The group may be attacking Saudi Arabia in response to Saudi Arabia\u2019s leadership role in improving relationships between Israel and Arab nations,\u201d Secureworks notes.<\/p>\n<p>The cybersecurity firm also notes that Abraham\u2019s Ax does not appear to replace the Moses Staff persona, which has remained active, claiming in late November the hack of a CCTV system monitoring the site of a terrorist attack in Israel.<\/p>\n<p>\u201cMalware and technical indicators from Abraham\u2019s Ax operations have not been identified. Assuming that both personas are operated by Cobalt Sapling, it is plausible that the threat actors use the same tools and techniques in their intrusions,\u201d Secureworks notes.<\/p>\n<p><strong>Related:<\/strong><a href=\"https:\/\/www.securityweek.com\/uk-gov-warns-of-phishing-attacks-launched-by-iranian-russian-cyberspies\/\"> UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies<\/a><\/p>\n<p><strong>Related:<a href=\"https:\/\/www.securityweek.com\/iranian-hackers-deliver-new-fantasy-wiper-diamond-industry-supply-chain-attack\/\"> <\/a><\/strong><a href=\"https:\/\/www.securityweek.com\/iranian-hackers-deliver-new-fantasy-wiper-diamond-industry-supply-chain-attack\/\">Iranian Hackers Deliver New \u2018Fantasy\u2019 Wiper to Diamond Industry via Supply Chain Attack<\/a><\/p>\n<p><strong>Related:<\/strong><a href=\"https:\/\/www.securityweek.com\/religious-minority-persecuted-iran-targeted-sophisticated-android-spyware\/\"> Religious Minority Persecuted in Iran Targeted With Sophisticated Android Spyware<\/a><\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.securityweek.com\/iranian-apt-leaks-data-from-saudi-arabia-government-under-new-persona\/\">Iranian APT Leaks Data From Saudi Arabia Government Under New Persona<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.securityweek.com\/\">SecurityWeek<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Iran-linked advanced persistent threat (APT) actor known as Moses Staff is leaking data stolen from Saudi Arabia government ministries using a recently created online persona. Also referred to as Cobalt Sapling, Moses Staff has been likely active since November 2020, but its existence was not revealed until September 2021. A declared anti-Israeli and pro-Palestinian [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":16736,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[28,110],"tags":[],"class_list":["post-16735","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cyberwarfare","category-iran"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/posts\/16735","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/comments?post=16735"}],"version-history":[{"count":0,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/posts\/16735\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/media\/16736"}],"wp:attachment":[{"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/media?parent=16735"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/categories?post=16735"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/tags?post=16735"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}