The Cybereason Nocturnus Team has been tracking the Iranian hacker group known as Moses Staff in recent months, after it was first spotted in October 2021. The group’s motivation is to harm Israeli companies by leaking sensitive, stolen data.
Aside from Israel, which appears to be the main target of the group, Moses Staff was observed targeting organizations in other countries, including Italy, India, Germany, Chile, Turkey, the United Arab Emirates, and the US.
The group targets a variety of industries, among them Government, Finance, Travel, Energy, Manufacturing, and the Utilities industry.
Following recently published research detailing the group’s Tactics, techniques and procedures (TTPs), the Cybereason Nocturnus team discovered a previously unidentified Remote Access Trojan (RAT) in the Moses Staff arsenal dubbed StrifeWater.
“The StrifeWater RAT appears to be used in the initial stage of the attack and this stealthy RAT has the ability to remove itself from the system to cover the Iranian group’s tracks,” Cybereason explained. “The RAT possesses other capabilities, such as command execution and screen capturing, as well as the ability to download additional extensions.”
Usually, once hackers infiltrate an organization and steal sensitive data, they deploy ransomware to encrypt the infected machines. Unlike financially motivated cybercrime ransomware groups who encrypt the files as leverage for ransom payment, the encryption of the files in the Moses Staff attacks serves two purposes: inflicting damages by disrupting critical business operations, and covering the attackers’ tracks.
“The end goal for Moses Staff appears to be more politically motivated rather than financial,” Cybereason underscored. “Analysis of the group’s conduct and operations suggests that Moses Staff leverages cyber espionage and sabotage to advance Iran’s geopolitical goals by inflicting damage and spreading fear.”
“Moses Staff’s goals seem aligned with Iran’s cyber warfare doctrine, seeking to sabotage government, military, and civilian organizations related to its geo-political opponents. Unlike criminal cybercrime groups that use ransomware to coerce their victims to pay a ransom fee, it is assessed that the Moses Staff group will leak sensitive information without demanding a ransom fee, and it was previously assessed that their goals are political in nature,” the report said.
Iran and Israel have been engaged in cyber warfare in recent years, with Iran attacking a broad array of targets, and Israel focusing on Iran’s nuclear program.
Israel has also reportedly carried out several successful cyberattacks against critical Iranian infrastructure.