Iranian Group Cobalt Sapling Targets Saudi Arabia With New Persona

Written by

The threat actor known as Cobalt Sapling has been spotted creating a new persona dubbed "Abraham's Ax" to target Saudi Arabia for political leverage.

The findings come from cybersecurity experts at Secureworks' Counter Threat Unit (CTU), who published an advisory about the new threat earlier today.

In a report shared with Infosecurity via email, Secureworks wrote that the emergence of Abraham's Ax and its attacks on Saudi government ministries highlight its political objectives.

"There are clear political motivations behind this group with information operations designed to destabilize delicate Israeli-Saudi Arabian relations, particularly as Saudi Arabia continues talks with Israel on normalizing relations," commented Secureworks CTU principal researcher Rafe Pilling.

Further, the security researcher noticed that Abraham's Ax mirrors the iconography, videography and leak sites of a separate threat actor known as Moses Staff. Both groups use similar logos and a WordPress blog as the medium for their leak sites.

The two threat actors also seem to be relying on the same custom malware, a cryptographic wiper that encrypts data without offering to release keys in exchange for payment.

At the same time, Secureworks noticed that the Abraham's Ax persona does not seem to directly replace Moses Staff, as the latter group's leak site and Telegram channels had remained active following the former's emergence.

"Iran has a history of using proxy groups and manufactured personas to target regional and international adversaries," Pilling added.

"Over the last couple of years, an increasing number of criminal and hacktivist group personas have emerged to target perceived enemies of Iran while providing plausible deniability to the Government of Iran regarding association or responsibility for these attacks. This trend is likely to continue."

To mitigate exposure to this malware, the Secureworks team recommended that organizations use available controls to review and restrict access using the indicators listed in the advisory.

Its publication comes hours after the UK National Cyber Security Centre (NCSC) warned against spearphishing attacks by Russian and Iranian threat actors, including Cobalt Sapling's Abraham's Ax.

What’s hot on Infosecurity Magazine?