Moses Staff Targets Israel

Moses Staff continues to acknowledge responsibility for a variety of attacks targeting Israeli organizations. The targets of these incidents include several high-profile engineering firms and the nation’s Defense Ministry. Moses Staff states openly the attacks and subsequent information leaks are politically motivated against what they claim is a “criminal Zionist government” and in support of Palestinian territories. The nature of the intrusions indicates an apparent goal of maximizing damage against Israeli entities as there has not been a ransom connected to any data theft.

Based on threat intel, Moses Staff uses publicly acknowledged exploits for unpatched vulnerabilities, including Microsoft Exchange Server remote code execution vulnerabilities and open RDP. Once inside the network, the group moves laterally with the aid of PsExec, WMIC, and Powershell, indicating they do not access these networks through a backdoor. From there the actors use PyDCrypt malware that runs on DiskCryptor, a widely available open-source tool.

Once the files are encrypted and stolen, they are made public on Moses Staff’s Tor site. The information that has so far been leaked includes confidential information about Israeli soldiers, military operational maps, internal communications between high-ranking officials, and construction plans for continued development. Moses Staff claims to have over 10 terabytes of stolen data and plans to gradually make it public.

SpearTip has identified Moses Staff links to other well-known groups ‘Pay2Key’ and ‘BlackShadow’ because of their shared targets and political motivations. A main difference, however, is that these groups typically demand ransom in exchange for exfiltrated data. Currently, Moses Staff is actively recruiting for new members publicly on social media.

In the modern cyber landscape, threat actors are increasingly active in their attempts to acquire sensitive data to inflict maximum damage on political opponents or hold out for ransom.  SpearTip, offers a variety of services designed to keep your organization and the sensitive data you hold safe from all threat actors. Our certified engineers operate globally from our Security Operations Centers, monitoring your networks 24/7/365 with the aid of ShadowSpear, our unparalleled endpoint detection and response tool. Threats never sleep and because of that, SpearTip Defends You.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.