Moses Staff hack attacks Israeli organizations

A new hack group, Moses Staff, attacked Israeli organizations, hacked their networks, encrypted data, and then refused to negotiate a ransom. Information security researchers believe that these were politically motivated and deliberately destructive attacks.

First discovered in early October 2021, the Moses Staff is the third group to attack exclusively Israeli organizations in recent months (previously, the Pay2Key and Black Shadow groups demonstrated similar style).

However, according to a report from Check Point, the Moses Staff hackers behave differently from their predecessors. They don’t even try to disguise their attacks and subsequent data leaks as ransomware attacks; instead, hackers openly declare that their attacks are politically motivated.

According to a posting on the group’s darknet website, the Moses Staff is attacking the Israeli Zionist regime, thus supporting the occupied Palestinian territory. For this reason the hackers encrypted and then “leaked” the data of the victims, without even trying to get a ransom.

According to Check Point researchers who have had the opportunity to study the group’s past attacks, the Moses Staff operates according to the following patterns:

1. the group breaks into victims’ networks using old vulnerabilities that have not been fixed;
2. Past attacks have involved vulnerable Microsoft Exchange servers;
3. After the system has been compromised, the team uses tools such as PsExec, WMIC, and Powershell;
4. hackers steal confidential information from victims’ networks before encrypting the data;
5. Moses Staff usually deploys an open source DiskCryptor library to encrypt volumes and lock victims’ computers with a bootloader that prevents machines from booting without the correct password (even if the correct password is specified, the data will still be encrypted after the system boots);
6. the researchers believe that the boot password and encryption key can be recovered under certain circumstances;
7. hackers have a Telegram channel and a Twitter account, where they announce new attacks and data leaks, which they also publish on their website.

Check Point researchers do not yet associate the group with any specific country, but note that some samples of Moses Staff malware were uploaded to VirusTotal from IP addresses in Palestine (several months before the group’s first attack).

Let me also remind you that we reported that Israel answered on the cyberattack with the missile attack in the real world.