ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > Moses Staff

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Other threat group: Moses Staff

NamesMoses Staff (self given)
Abraham's Ax (self given)
DEV-0500 (Microsoft)
Cobalt Sapling (SecureWorks)
Marigold Sandstorm (Microsoft)
Vengeful Kitten (CrowdStrike)
White Dev 95 (PWC)
CountryIran Iran
MotivationSabotage and destruction
First seen2021
Description(Check Point) In September 2021, the hacker group MosesStaff began targeting Israeli organizations, joining a wave of attacks which was started about a year ago by the Parisite, Fox Kitten, Pioneer Kitten and Agrius attack groups. Those actors operated mainly for political reasons in attempt to create noise in the media and damage the country’s image, demanding money and conducting lengthy and public negotiations with the victims.

MosesStaff behaves differently. The group openly states that their motivation in attacking Israeli companies is to cause damage by leaking the stolen sensitive data and encrypting the victim’s networks, with no ransom demand. In the language of the attackers, their purpose is to “Fight against the resistance and expose the crimes of the Zionists in the occupied territories.”
ObservedSectors: Energy, Financial, Government, Manufacturing, Transportation, Utilities.
Countries: Chile, Germany, India, Israel, Italy, Turkey, UAE, USA.
Tools usedDCSrv, PyDCrypt, StrifeWater.
Operations performedNov 2022Abraham's Ax Likely Linked to Moses Staff
<https://www.secureworks.com/blog/abrahams-ax-likely-linked-to-moses-staff>
Information<https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/>
<https://www.cybereason.com/blog/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations>
<https://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard>
<https://www.timesofisrael.com/report-iran-hacked-israeli-cameras-a-year-ago-defense-officials-knew-didnt-act/>
MITRE ATT&CK<https://attack.mitre.org/groups/G1009/>

Last change to this card: 10 March 2024

Download this actor card in PDF or JSON format

Previous: Monty Spider
Next: Mummy Spider, TA542

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]