Share this article on:
The world of criminal hacking groups is a rather protean one, with groups constantly changing and merging. To make matters muddier, many groups also operate under other names, or personas, sometimes even with slightly different modes of operation.
Researchers, however, have at least linked two such personas to a known operator. While not 100 per cent certain of their findings, Secureworks’ Counter Threat Unit (CTU) was confident enough to write about Abraham’s Ax and Moses Staff, which are likely personas of Cobalt Sapling.
Cobalt Sapling first came to security specialists’ attention in 2021, which was then operating under the name Moses Staff, though the group has likely been operating since at least 2020. The group is pro-Palestinian and is believed to operate under the auspices of Iran. The group operates leak sites and engages in ransomware attacks without any attempt at ransom. Disruption of their targets is the group’s main aim.
Abraham’s Ax began operation in November 2022 with a series of social media posts, and the similarities with Moses Staff prompted CTU researchers to look a little deeper.
For one, the two groups have very similar logos — a hand holding out a staff and an axe, respectively. Similarly, much of the media the two groups produce features similar stylistic flourishes and even stock images.
Both also feature websites with many similarities, in English and in Hebrew, with Abraham’s Ax also available in Farsi.
There are many technical links, too, between the groups. Both groups’ sites were hosted on the same subnet for a time, and also share IP addresses that are closely related, and in turn related to Cobalt Sapling.
Unlike Moses Staff, however, Abraham’s Ax says it is working on behalf of Hezbollah Ummah, a group that may or may not be linked to the militant group Hezbollah. And while Moses Staff largely targets Israeli organisations, Abraham’s Ax instead focuses its hacking efforts on Saudi Arabia, which has been working closely with Israel in recent years.
“Progress on normalisation of relations between Saudi Arabia and Israel is fragile,” the CTU blog suggests, “and Iran may see these attacks as a way to discourage those efforts.”
Both Cobalt Sapling groups operate independently and at the same time — Abraham’s Ax does not seem to be a replacement entity and Moses Staff is still posting on its own sites.
Iran is an increasingly active nation when it comes to hacking and other attempts at cyber disruption. To combat the growing threat of Iranian-based and supported actors, Australia, Canada, the United Kingdom, and the United States together released a joint Cybersecurity Advisory last September.
The CSA, titled, Iranian Islamic Revolutionary Guard Corps-affiliated cyber actors exploiting vulnerabilities for data extortion and disk encryption for ransom operations, was designed to provide “actionable information” relating to IRGC exploitation of VMware Horizon Log4j vulnerabilities for initial access and ongoing use of known Fortinet and Microsoft Exchange vulnerabilities.
“Our unified purpose is to drive timely and prioritised adoption of mitigations and controls that are most effective to reducing risk to all cyber threats, including malicious actors like those affiliated with the Iranian Islamic Revolutionary Guard Corps,” Eric Goldstein, executive assistant director for cyber security, CISA, said at the time.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.