Secureworks® (NASDAQ: SCWX), a global leader in cybersecurity, published its latest analysis today from its Counter Threat Unit™ (CTU), revealing that Iranian threat group COBALT SABLING has re-emerged with a new persona, Abraham’s Ax. This is based on new findings that show it is linked to Moses Staff – a known COBALT SAPLING hacktivist persona. Moses Staff is known for targeting Israeli companies to steal and leak sensitive data. It has been operating since September 2021.
Moses Staff style themselves as an anti-Israeli and pro-Palestinian threat group with the primary aim of harassing and disrupting Israeli companies. The analysis indicates that the Abraham’s Ax persona is being used in tandem to attack government ministries in Saudi Arabia. This is likely in response to Saudi Arabia’s leadership role in improving relations between Israel and Arab nations. And that both personas are linked to COBALT SAPLING.
The CTU witnessed the emergence of Abraham’s Ax in November 2022, and although not a direct replacement for Moses Staff, it has striking similarities in its iconography, videography, and leak sites. Both groups’ logos depict similar images, with the Abraham’s Ax logo showing a clenched fist extended from a sleeve holding an axe, while Moses Staff shows a clenched fist holding a staff. Both Abraham’s Ax and Moses Staff also use a WordPress blog as the basis for their leak sites, including religious quotes throughout their site. The groups have also both produced and released videos as part of their operations, with clear repetition in iconography between the two groups.
Based on the similarities with Moses Staff it’s plausible that the threat actors behind Abraham’s Ax use the same custom malware which acts as a cryptographic wiper, encrypting data without an offer from the group to release keys in exchange for payment. The group obfuscates their intent behind criminal and hacktivist style tactics but operates without a clear profit motive, with the attacks appearing to be politically motivated and focused on disruption and intimidation.
“There are clear political motivations behind this group with information operations designed to destabilise delicate Israeli-Saudi Arabian relations, particularly as Saudi Arabia continues talks with Israel on normalising relations” commented Rafe Pilling, Principal Researcher, Secureworks Counter Threat Unit™.
“Iran has a history of using proxy groups and manufactured personas to target regional and international adversaries. Over the last couple of years an increasing number of criminal and hacktivist group personas have emerged to target perceived enemies of Iran while providing plausible deniability to the Government of Iran regarding association or responsibility for these attacks. This trend is likely to continue.”
About Secureworks
Secureworks (NASDAQ: SCWX) is a global cybersecurity leader that protects customer progress with Secureworks® Taegis™, a cloud-native security analytics platform built on 20+ years of real-world threat intelligence and research, improving customers’ ability to detect advanced threats, streamline and collaborate on investigations, and automate the right actions.
Connect with Secureworks via Twitter, LinkedIn and Facebook and Read the Secureworks Blog
