Cyberespionage and hacking operations: a growing threat to national interests and relations

• Secureworks conducted an analysis and found that COBALT SAPLING is likely the group behind both the Moses Staff and Abraham’s Ax hacktivist identities.
• According to Rafe Pilling, a researcher at Secureworks Counter Threat Unit, the group’s activities appear to be motivated by politics.

Cyber warfare has become an increasingly important tool for countries to gain political leverage and advance their national interests. In the past, nations relied on traditional military force to assert their power, but the digital age has introduced a new realm of conflict.

Nation-states are now engaging in cyberespionage and hacking operations to gather intelligence, disrupt the activities of their adversaries and carry out cyberattacks for political or military purposes. Cyber warfare allows countries to operate covertly and avoid traditional military force’s political and economic consequences. It also allows them to target critical infrastructure and disrupt the functioning of other nations without physically invading their territory.

This tactic is not just a theoretical concept but a reality that is being played out in the cyber operations of various nation-states.

A recent analysis from Secureworks’ Counter Threat Unit (CTU) revealed that the Iranian threat group COBALT SABLING has re-emerged with a new persona, Abraham’s Ax. This emergence is based on new findings that show it is linked to Moses Staff – a known COBALT SAPLING hacktivist persona. Moses Staff is known for targeting Israeli companies to steal and leak sensitive data. It has been operating since September 2021, utilizing cyber warfare tactics to disrupt and gather sensitive information from its target nation without the need for physical invasion.

The Moses Staff group claims to be an anti-Israeli and pro-Palestinian organization that aims to disrupt and harass Israeli companies. The analysis from Secureworks’ Counter Threat Unit (CTU) shows that the group has re-emerged under the new persona of Abraham’s Ax and is now also targeting government ministries in Saudi Arabia, likely due to the country’s role in improving relations with Israel. Researchers have linked both personas to the COBALT SAPLING hacktivist group.

The CTU discovered the emergence of Abraham’s Ax in November 2022 and found that it shares many similarities with Moses Staff, including similar iconography, videography, and leak sites. Both groups use similar logos, with Abraham’s Ax depicting a clenched fist holding an axe and Moses Staff showing a clenched fist holding a staff. Both also use WordPress blogs for their leak sites and include religious quotes on their sites. The groups have also produced and released videos as part of their operations, with clear similarities in iconography.

The CTU believes that the group behind Abraham’s Ax may be using the same custom malware as Moses Staff, which acts as a cryptographic wiper, encrypting data without offering to release the keys in exchange for payment. The group employs criminal and hacktivist tactics without a clear profit motive, and the attacks appear to be politically motivated and focused on disruption and intimidation.

Rafe Pilling, a researcher at Secureworks Counter Threat Unit, stated that the group’s activities appear to be motivated by politics, attempting to interfere in the relationship between Israel and Saudi Arabia. He noted that they seem to be trying to disrupt the ongoing talks between the two countries to improve relations.

“Iran has a history of using proxy groups and manufactured personas to target regional and international adversaries. Over the last couple of years an increasing number of criminal and hacktivist group personas have emerged to target perceived enemies of Iran while providing plausible deniability to the Government of Iran regarding association or responsibility for these attacks. This trend is likely to continue,” said Pilling.

Cyberespionage in the APAC region

Cyber warfare between countries for political leverage is a growing concern globally. Countries in the Middle East have used state-sponsored hacking and cyberespionage campaigns to gain political leverage and advance their national interests. Similarly, several high-profile cyber warfare incidents have occurred in the APAC region.

One example is the alleged Chinese cyberespionage campaign known as “APT10” or “Cloud Hopper”. The campaign was first discovered in 2016 by cybersecurity firms and is said to have targeted government agencies, technology companies, and other organizations in several countries, including the United States, Japan, the United Kingdom, Australia, and several other countries in Asia.

Many experts suspect that APT10 has close ties to Chinese government agencies and that its activities align closely with China’s national interests. The group was believed to have been involved in a cyberattack aimed at the 2018 Olympic Games, considered one of the most sophisticated hacks.

In early 2022, a Taiwan-based security firm linked APT10 to an attack that exploited a vulnerability in a security product widely used by 80% of financial sector organizations in Taiwan. Additionally, in June 2022, the group was caught stealing intellectual property from Western and Japanese companies by using HUI Loader to deploy malware.

---

---

---

---