Pro-Iranian hacking group focused on Saudi Arabia, researchers say
In November, a website from a group that appeared to have links to the Lebanese militants Hezbollah appeared online, posting anti-Israeli rhetoric — not a surprise from one of Israel’s fiercest regional enemies.
The site, called Abraham’s Ax, showed an image of an arm draped in a green cloth — a key color for Hezbollah — with an outstretched hand holding an axe. A message at the bottom read, “All rights reserved for Hezbollah Ummah.”
But the site appears to be a ruse.
In a report published Thursday, researchers with Secureworks Counter Threat Unit Research Team say they can find no evidence that ties Abraham’s Ax to Hezbollah. Rather, it’s more likely the group is operated by the same entity behind Moses Staff, a hacktivist group that went after Israeli targets with hack-and-leak operations that researchers have previously linked to the Iranian government and Secureworks calls Cobalt Sapling.
Abraham’s Ax shares common iconography, videography and infrastructure with Moses Staff, but what sets it apart is that it seems focused on Saudia Arabia.
A video published by the group purports to play audio of intercepted phone calls of both senior Saudi and Israeli officials, and as Saudi Arabia and Israel grow closer, Secureworks sees Abraham’s Ax as the latest attempt by Iran to throw a wrench in the spanner of the emerging Saudi-Israeli alliance.
“This seems to be a tool that Iran is rolling out to put pressure on what is already a fairly fragile situation in terms of those ongoing talks,” said Rafe Pilling, principal researcher with Secureworks Counter Threat Unit. “Obviously it’s very much not in Iran’s interest for Israel and Saudi Arabia to get closer.”
Abraham’s Ax is perhaps among the latest in a string of state-backed hacking groups to emerge in the region. Some groups, such as Moses Staff, emerge to push a clear message, publish hacked materials, and remain active over a long period, while others seem to emerge as a means to publish stolen materials, and quickly disappear.
Iran and Saudi Arabia have an intense history of physical and cyber conflicts. In 2019, for instance, the U.S. and Saudi governments accused Tehran of backing a drone attack on Saudi oil infrastructure carried out by the Houthi rebels in Yemen. After that attack, the U.S. carried out a “secret cyber operation” against unnamed Iranian targets, Reuters reported at the time. Previously, experts believe Iranians used the Shamoon wiper malware in multiple attacks on Saudi targets dating back to 2012, and then again in 2016 and 2018. The 2012 attack was also claimed by a hacktivist persona, which in that case called itself the “Cutting Sword of Justice.”
Pro-Iranian front groups have been active for years and have played a key role in the ongoing cyber tit-for-tat between Iran and Israel. These groups include Moses Staff and another pro-Iranian group, Black Shadow. Another pro-Iranian hacking group, Homeland Justice, attacked Albanian government systems in a series of destructive digital assaults in July 2022, leading Albania to sever diplomatic ties with Iran and the U.S. to sanction the Iranian Ministry of Intelligence.
In November, Abraham’s Ax claimed to have hacked into Saudi Arabia’s Ministry of Interior and published a sample of hacked data. Under a highly produced video dramatizing the hack, the group posted what it called a “proof-of-concept” file which reportedly contained a series of files with titles including “Airport-King-abbdol-aziz-Jaddeh” and “DEVELOPMENT OF THE SECURITY FACILITIES FOR MOI.”
“Al Saud regime’s actions fighting a media and proxy war to create riots and disintegration in Islamic Republic of Iran, which are under the control of Global Zionism, is clear to all thoughtful and free people in the world,” a message accompanying the Interior Ministry breach read. It added that the Saudis were organizing and backing multiple terrorist groups in other places, as well. “These actions will definitely not go unanswered and they will receive a severe slap from Iran and the Axis of Resistance.”
A press representative in the Saudi embassy in Washington could not be reached for comment Wednesday.
The Secureworks analysis found a series of similarities between Abraham Ax and Moses Staff. The logos used by the two groups are quite similar, for instance. Moses Staff’s logo features an arm with a hand holding a staff, while Abraham’s Ax’s is a hand holding an axe.
Both groups’ leak sites offer multiple languages — Hebrew and English for Moses Staff; Hebrew, Farsi and English for Abraham’s Ax — and both use domains registered through EgenSajt, a Swedish web hosting firm. At early points in their lifecycles, the researchers note, both sites were hosted in the same subnet, nearly adjacent to each other. “This is highly unlikely to occur by coincidence and strongly indicates the same entity chose to host the two sites in near contiguous IP address space,” the researchers wrote.
The two groups’ videos are similar, as well, employing almost identical graphics and styles.
The researchers note that various tools and malware have been linked to Moses Staff, such as the PyDCrypt loader and the DCSrv cryptographic wiper, as well as the StrifeWater remote access trojan. No such links have emerged with respect to Abraham’s Ax, but perhaps network defenders in Saudi Arabia and elsewhere should examine their systems for traces of the known Moses Staff malware, Pilling said.
“Identifying the fact that they may be linked to Moses Staff and therefore the back-end intrusion operators may share the same kind of tools, those are the sort of things to look out for,” Pilling said.