Researchers at Check Point recently published a report on Moses Staff, a hacker group that has been conducting targeted attacks against Israeli companies. Observed initially in October, 2021, this group is politically and socially motivated with a main goal of causing as much damage as possible to the target, whether personal, political, or financial. Moses Staff behaves differently than other threat groups. The group openly states that their motivation to attack Israeli companies is to cause damage by leaking sensitive data and encrypting the victim’s networks with no ransom demand. According to the report, their purpose is to “Fight against the resistance and expose the crimes of the Zionists in the occupied territories.”
The group has been seen exploiting vulnerable servers and endpoints. Past intrusions have been linked to unpatched Microsoft Exchange servers and utilizing LOLBIN tooling, such as PsExec, WMIC, and Powershell, to move laterally among other operations during the compromise. Moses Staff also typically deploys the open-source DiskCryptor library. Even if a correct password is provided, the data is still encrypted once the system boots. However, Check Point postulates that both the boot password and the encryption key could be recovered in certain ideal circumstances. In an effort to maximize attention, the Moses Staff group also operates a Telegram channel and Twitter account where they announce new victims they add to their leak site.
Some of the most difficult adversaries are politically motivated. When financial gain is not the end goal, negotiation is severely limited, if not impossible. Moses Staff claims to be working on behalf of the Palestinian people, garnering support from many in the threat community. In order to mitigate risks associated with groups such as Moses Staff, it is imperative for organizations to have a mature and evolving defense strategy in place. Businesses must enable their security personnel to ingest relevant, actionable threat intelligence in order to develop reactive and proactive defensive measures.