News

Moses Staff hack attacks Israeli organizations

A new hack group, Moses Staff, attacked Israeli organizations, hacked their networks, encrypted data, and then refused to negotiate a ransom. Information security researchers believe that these were politically motivated and deliberately destructive attacks.

First discovered in early October 2021, the Moses Staff is the third group to attack exclusively Israeli organizations in recent months (previously, the Pay2Key and Black Shadow groups demonstrated similar style).

However, according to a report from Check Point, the Moses Staff hackers behave differently from their predecessors. They don’t even try to disguise their attacks and subsequent data leaks as ransomware attacks; instead, hackers openly declare that their attacks are politically motivated.

According to a posting on the group’s darknet website, the Moses Staff is attacking the Israeli Zionist regime, thus supporting the occupied Palestinian territory. For this reason the hackers encrypted and then “leaked” the data of the victims, without even trying to get a ransom.

According to Check Point researchers who have had the opportunity to study the group’s past attacks, the Moses Staff operates according to the following patterns:

  1. the group breaks into victims’ networks using old vulnerabilities that have not been fixed;
  2. Past attacks have involved vulnerable Microsoft Exchange servers;
  3. After the system has been compromised, the team uses tools such as PsExec, WMIC, and Powershell;
  4. hackers steal confidential information from victims’ networks before encrypting the data;
  5. Moses Staff usually deploys an open source DiskCryptor library to encrypt volumes and lock victims’ computers with a bootloader that prevents machines from booting without the correct password (even if the correct password is specified, the data will still be encrypted after the system boots);
  6. the researchers believe that the boot password and encryption key can be recovered under certain circumstances;
  7. hackers have a Telegram channel and a Twitter account, where they announce new attacks and data leaks, which they also publish on their website.

Check Point researchers do not yet associate the group with any specific country, but note that some samples of Moses Staff malware were uploaded to VirusTotal from IP addresses in Palestine (several months before the group’s first attack).

At the moment, the Moses Staff website has released the information of 16 victims, which includes data and documents of more than 34 terabytes.

Let me also remind you that we reported that Israel answered on the cyberattack with the missile attack in the real world.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)
Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Recent Posts

Remove Kurlibat.xyz pop-up ads (Virus Removal Guide)

Kurlibat.xyz is a site that tries to trick you into clik to its browser notifications…

1 day ago

Remove Initiateintenselyrenewedthe-file.top pop-up ads (Virus Removal Guide)

Initiateintenselyrenewedthe-file.top is a domain that tries to trick you into clik to its browser notifications…

1 day ago

Remove Wotigorn.xyz pop-up ads (Virus Removal Guide)

Wotigorn.xyz is a site that tries to force you into subscribing to its browser notifications…

1 day ago

Remove Initiateintenselyprogressivethe-file.top pop-up ads (Virus Removal Guide)

Initiateintenselyprogressivethe-file.top is a domain that tries to force you into clik to its browser notifications…

1 day ago

Remove Nuesobatoxylors.co.in pop-up ads (Virus Removal Guide)

Nuesobatoxylors.co.in is a domain that tries to trick you into subscribing to its browser notifications…

1 day ago

Remove Helistym.xyz pop-up ads (Virus Removal Guide)

Helistym.xyz is a site that tries to force you into clik to its browser notifications…

1 day ago