Iranian-connected advanced persistent threat (APT) Cobalt Sapling was discovered in September of 2021, but evidence of their activity suggests being active since November of 2020. This hacktivist is known for anti-Israel sentiment, data extortion and encryption attacks and propaganda material among other things. Their motives appear to be solely political, as they never demand ransom or provide decryption. The interesting aspect regarding this threat actor is that Cobalt Sapling is suspected to be operating under another persona, Moses Staff (aka Marigold Sandstorm). Then most recently identified in 2022, another Iranian-linked threat actor, Abraham’s Ax.
Moses Staff
Most often referred to as an alias to Cobalt Sapling, Moses Staff is a declared pro-Palestinian and anti-Israeli threat actor group. While other threat actor groups make demands for ransom and have financial motivation, this group said online their purpose of attacking Israeli companies is to “Fight against the resistance and expose the crimes of the Zionists in the occupied territories.” Most of their data leaks consist of stolen data from Israeli companies or individuals connected to the Israeli intelligence unit of the Israel Defense Forces. They make no demand for ransom for the data but leak it instead with the goal of solely causing damage. Israeli companies are not the only targets of this Iranian hacker group, they have also targeted various countries including Germany, Italy, Chile, Turkey, and the United States, impacting several industries like Government, Finance, Energy and more.
Moses Staff gains initial access to victim networks by exploiting known vulnerabilities in unpatched public-facing infrastructure. After breaching the systems, they use PsExec, WMIC, and PowerShell to laterally move through the network. PsExec is a command-line utility from Microsoft’s Sysinternals suite, allowing administrators to run commands on remote systems without software installation. WMIC (Windows Management Instrumentation Command-line) is a command-line tool that lets administrators manage and retrieve information about Windows systems using WMI, enabling tasks like querying system info and managing processes. Next, Moses Staff moves to one of their main tools, a custom PyDCrypt malware, which is an open-source Python tool created with PyInstaller. It drops the main encryption payload DCSrv ransomware variant based on DiskCryptor. Notably, the Moses group tailored a unique PyDCrypt sample for each targeted organization. This custom malware comes from path C:\Users\Public\csrss.exe usually.
In a more recent development, researchers at Cybereason Noctornus identified a previously unknown Remote Access Trojan (RAT) used by Moses Staff named Strifewater. This RAT stands out due to its ability to evade detection by removing itself from systems. Strifewater can also execute commands, capture screens, and download additional extensions. For a more complete look at this APT’s behavior and techniques used, see below:
Abraham’s Ax
Abraham’s Ax revealed their presence and mission through social media on November 8, 2022. This identity of Cobalt Sapling claimed to work on behalf of Hezbollah Ummah, which translates to ‘Party of Allah’ in Arabic, it is a Lebanese Shia Islamist political party and militant group backed by Iran. However, there is no evidence supporting this claim. Unlike the Moses Staff persona, this hacktivist group appeared focused on Saudia Arabia. A few days following their announced existence, they claimed to have breached Saudi Arabia’s Ministry of Interior and released a sample of the compromised data. They released a video claiming to be featured audio from intercepted phone calls between senior Saudi and Israeli officials. Similarly to Moses Staff, the threat actors have used the custom PyDCrypt loader and DCSrv cryptographic wiper. As Saudi Arabia and Israel strengthen their ties, Secureworks views Abraham’s Ax as Iran’s latest effort to disrupt the emerging Saudi-Israeli alliance. Some groups, like Moses Staff, are known for delivering a clear message, releasing hacked materials, and maintaining long-term activity, while others such as Abraham’s Ax appear briefly to publish stolen data and then quickly vanish. Following this one attack, Abraham’s Ax has ceased activity, appearing to be a single-use operation.
The Shared Characteristics
The commonalities between Moses Staff and Abraham’s Ax are evident. As cybersecurity firm Secureworks pointed out, they both use a biblical figure for their persona. If you compare the two groups’ logos side by side, you can notice the same iconography. Additionally, Videos showing “Hollywood-style hacking,” including 3D building models, satellites, CCTV, and fast-moving document scrolling, have been produced by the two groups. They both also operate their leak sites using a WordPress blog using the same subnet in their beginnings, and both offer Tor versions of their leak sites. Moses Staff’s sites are available in Hebrew and English, while Abraham’s Axe sites are available in Hebrew, English, and Farsi. They use similar toolkits, and like Cobalt Sapling, they operate without financial incentives. Given all the evidence, it is safe to assume that Moses Staff and Abraham’s Ax are subgroups of Cobalt Sapling.
A Sophisticated Strategy
There has not been recent activity related to Cobalt Sapling and its associated identities. Nonetheless, their employment of multiple personas to create the illusion of distinct threat groups reflects an advanced strategy in cyber warfare and psychological operations. It assisted Cobalt Sapling in maintaining persistent pressure on their targets and allowed them to tailor their tactics and missions. Another exciting aspect of this threat group is their lack of ransom demands and carrying out attacks purely for political and disruptive reasons. Understanding their tactics offers important insights into how state-sponsored threat actors’ function and change, especially in areas of geopolitical instability. By anticipating future threats and developing more effective defenses, this knowledge will assist in safeguarding vital infrastructure and national security interests against sophisticated cyber operations.