Moses Staff hackers strike again, attack Israeli engineering companies

The hackers announced they had targeted Ehud Leviathan Engineering, David Engineers and H.G.M. Engineering in their latest attack.


A hacker group called Moses Staff claimed on Tuesday that it had successfully conducted a cyberattack on three Israeli engineering companies, less than two weeks after it leaked files it claimed to have obtained in an attack on the Defense Ministry.

The group announced on Tuesday that it had targeted Ehud Leviathan Engineering, David Engineers and HGM Engineering in its latest attack.

The data leaked from the three companies include projects, maps, contracts, pictures, letters and videoconferencing images.

Moses Staff stated that the information it had leaked did not include everything that they had obtained and they would gradually release the rest.

Unlike the Black Shadow hacker group that also struck Israeli companies recently, Moses Staff did not make any demands for money or anything else.

A hacker is being depicted in this illustrative photo  (credit: Courtesy)A hacker is being depicted in this illustrative photo (credit: Courtesy)

The leaked material included documents about infrastructure projects such as highways and public water systems. Some of what was leaked even included a tender and other documents concerning construction in the new city-entrance project currently under way at the entrance of Jerusalem.

ID cards and insurance documents were also leaked in the attack.

Moses Staff’s website claims that the group has hacked over 165 servers and 254 websites and compiled over 11 terabytes of data, including Israel Post, the Defense Ministry, files related to Defense Minister Benny Gantz, the Electron Csillag Company and Epsilor.

“We’ve kept an eye on you for many years, at every moment and on each step,” wrote the group in the announcement on its Telegram channel last week regarding the attack on the Defense Ministry. “All your decisions and statements have been under our surveillance. Eventually, we will strike you while you never would have imagined.”

Moses Staff claimed in the announcement to have access to confidential documents, including reports, operational maps, information about soldiers and units, and letters and correspondence.

“We are going to publish this information to aware [sic] all the world about the Israeli authorities’ crimes,” warned the group.

The files leaked in the earlier attack included photos of Gantz and IDF soldiers and a 2010 letter from the defense minister to the deputy chief of the Joint Chiefs of Staff and chief of intelligence in the Jordanian Armed Forces.

The leaked files also included Excel files allegedly containing the names, ID numbers, emails, addresses, phone numbers and even socioeconomic status of soldiers, mechina pre-military students and individuals connected to the ministry.

The group stated on its website that it is targeting the same people who “didn’t tolerate” the legitimacy of Moses, seemingly the reason for the name Moses Staff.

The group’s description states that it will not forget “the soldiers whose blood is shed due to wrong policies and fruitless wars, the mothers mourning for their children, and all the cruelty and injustice were [sic] done to the people of this nation.”

The group did not clarify in its description which soldiers it was referring to.

It is as of yet unclear whether the group is acting independently or is backed by a state.

Moses Staff leaked identifying information, addresses and information about packages from an attack it says it conducted on the Israel Post. The group also leaked pictures of identity cards from a number of companies it claims to have attacked.

The group’s website also has a contact form for those interested in joining the group.

THE NATIONAL Cyber Directorate stated in response to the leaks last week that it has repeatedly warned about hackers exploiting a vulnerability on the Exchange email service in order to attack organizations, according to Ynet.

“The directorate once again calls on organizations to implement in their systems the latest critical updates that Microsoft has released for this vulnerability – a simple and free update that can reduce the chance of this attack,” the directorate said.

The attack is the latest in a series of cyberattacks on Israel in recent months.

Over the weekend, the Black Shadow hacker group announced that it had attacked the Israeli Internet company Cyberserve, and on Tuesday it leaked the data of about a million people from the Atraf gay dating app.

Cyberserve is a web hosting company, meaning it provides servers and data storage for other companies across industries. The data seized by the hackers is from a wide variety of businesses, from travel booking and bus companies to the Israeli Children’s Museum.

Last month, the Hillel Yaffe Medical Center in Hadera was targeted by a ransomware attack that affected its computer systems.

Cybereason revealed last month that MalKamak, an Iranian state-supported hacker group, was running a highly targeted cyber-espionage operation against global aerospace and telecommunications companies, stealing sensitive information from targets around Israel and the Middle East, as well as in the United States, Russia and Europe. The threat posed by MalKamak is still active.

In September, a hacker group called Deus leaked data it claims to have obtained, in a cyberattack on the Israeli call center service company Voicenter, from the company’s customers, including 10bis, CMTrading, Mobileye, eToro, Gett and My Heritage.

The data leaked so far include security camera and webcam footage, ID cards, photos, WhatsApp messages and emails, as well as recordings of phone calls.

A series of cyberattacks has plagued Israeli businesses and institutions in the past two years, including Israel Aerospace Industries, the Shirbit insurance company and the Amital software company.

The National Cyber Directorate reported that it handled more than 11,000 inquiries on its 119 hotline in 2020, some 30% more than it handled in 2019. The directorate made about 5,000 requests to entities to handle vulnerabilities exposing them to attacks, and was in contact with about 1,400 entities concerning attempted or successful attacks.