A report issued by Cybereason on Tuesday exposed a new level of depth in understanding how Iran and its proxies successfully hacked dozens of Israeli public and private institutions and large institutions in other rival countries this past year.
According to the report by the cybersecurity firm, the purpose of these Iranian attacks has been a mix of trying to spy, stealing sensitive information and causing general broad damage and chaos in the Jewish state.
Focused on the group “Moses Staff,” the report said the list of cyber victims includes Israel, Italy, India, Germany, Chile, Turkey, the UAE and the US.
The report said, “Over the past months, the Cybereason Nocturnus Team has been tracking the Iranian hacker group known as Moses Staff. The group was first spotted in October 2021 and claims their motivation is to harm Israeli companies by leaking sensitive, stolen data.”
The Jerusalem Post understands from several current and former officials from the Israel National Cyber Directorate (INCD), Shin Bet (Israel Security Agency) and IDF Unit 8200 that the main innovation of Moses Staff has less been about the techniques it uses and more about its deep research and exploration to find parts of Israel’s digital environment that are poorly defended.
Further, the group “targets a variety of industries, among them government, finance, travel, energy, manufacturing and the utilities industry.”
Next, the report said that Moses Staff’s goals seem aligned with Iran’s cyberwarfare doctrine, seeking to sabotage government, military and civilian organizations related to its geopolitical opponents.
It noted that, “Unlike criminal cybercrime groups that use ransomware to coerce their victims to pay a ransom fee, it is assessed that the Moses Staff group will leak sensitive information without demanding a ransom fee, and it was previously assessed that their goals are political in nature.”
Sounding a note of caution, the report said, “The emergence of new PyDyrcypt malware samples further shows that the Iranian APT group Moses Staff is still active and continues its nefarious activities and development of its attack arsenal.”
Following recent publication detailing the group’s tactics, techniques and procedures, including their main tools “PyDcrypt” and “DCSrv,” the Cybereason Nocturnus team discovered a previously unidentified remote access trojan (RAT) in the Moses Staff arsenal dubbed “StrifeWater.”
According to Cybereason, “The StrifeWater RAT appears to be used in the initial stage of the attack and this stealthy RAT has the ability to remove itself from the system to cover the Iranian group’s tracks.”
Next, the RAT possesses other capabilities, including command execution screen capturing and the ability to download additional extensions.
RATs have been used for hacking purposes for years, but Moses Staff has worked hard to develop RATs customized to harming poorly defended Israeli institutions.
Many groups deploy ransomware to encrypt infected machines when they infiltrate an organization and steal sensitive data.
“Unlike financially motivated, cybercrime ransomware groups who encrypt the files as leverage for ransom payment, the encryption of the files in the Moses Staff attacks serves two purposes: inflicting damages by disrupting critical business operations, and covering the attackers’ tracks,” said the report.
Cybereason said, “The end goal for Moses Staff appears to be more politically motivated rather than financial.”
According to the report, “The group’s conduct and operations suggests that Moses Staff leverages cyber espionage and sabotage to advance Iran’s geopolitical goals by inflicting damage and spreading fear.”
In terms of the technicalities, Cybereason said, “It was observed that the StrifeWater RAT was deployed in infected environments under the name ‘calc.exe.’
“One of the key clues that led to the discovery of the StrifeWater RAT came from an analysis of a new variant of the PyDCrypt malware used by the Moses Staff group... to drop the payload ‘DCSrv,’ a ransomware variant based on the publicly available tool DiskCryptor.”
The inclusion of hard coded information as part of the PyDCrypt malware indicates that the malware is only deployed in “a late stage of the attack after the environment is already compromised and sufficient reconnaissance efforts to map out the target’s environment have already taken place.”
Meanwhile, Calcalist reported on Tuesday that Moses Staff had hacked data from the Rafael defense firm.
The report was unclear on whether the information was in fact sensitive information about the Iron Dome missile-defense system and other weapons systems or unclassified information that Moses Staff was trying to spin as classified.
Rafael itself said, “This is an isolated incident involving unclassified information on the company’s external network.”
Last year, Moses Staff succeeded at hacking data from Israel Aerospace Industries, which at the time did not issue any clarifying statement, though later reports claimed no sensitive information was hacked.