Now well-known Moses Staff group posted not long ago the information on their Twitter account that the group gained access to the 3D photos of all Israely area. Moses Staff carried out not only this particular attack.They already been targeting multiple organizations in the same country. The group appeared in September 2021 and since then has been carrying out their attacks. You can assume that the Moses Staff clearly operates from the political ground just by reading some group`s Twitter posts.
The group created numerous accounts on different social platforms to leak the information they gained access to. Group`s activity joins the wake of previous attacks carried out by BlackShadow and Pay2Key attack groups. As in this case those groups’ main motivations were solely political. And the Moses Staff declared themselves that “Fight against the resistance and expose the crimes of the Zionists in the occupied territories.” They openly state that their activity is directed towards causing disruption and damage. The group does not make any money demands.
Moses Staff politically motivates their attacks
Already the group targeted 16 victims. They also operate their own website where attackers have already claimed to have targeted over 257 websites. The amount of stolen data sums up to 34 terabytes. Besides, the announcement on the group`s web portal urges potential partners to join them in order to “expose the crimes of the Zionists in occupied Palestine.”
Yesterday the researchers from the Israeli company Check Point published their fundings on several incidents related to this particular group activity. Specialists presented the report on the Moses Staff tactics, techniques and procedures (TTPs). They also analyzed their two main tools PyDCrypt and DCSrv. Also researchers provided a description of the group’s encryption scheme and its possible flaws, and provided several keys for ascription.
“Moses Staff are still active, pushing provocative messages and videos in their social network accounts.” “The vulnerabilities exploited in the group’s attacks are not zero days, and therefore all potential victims can protect themselves by immediately patching all publicly-facing systems,” according to the CheckPoint report.
Researchers say the group`s encryption method looks quite amateur
There is one thing about the methods of encrypting the files that surprised the researchers. They were surprised by how an amateur group’s encryption looks like. Because in the case of such well known ransomware as Conti, Revil, Lockbit etc, they make sure that their encryption is unpenetrated to the most degree. Researchers point out that this may be due to the lack of experience with ransomware or Moses Staff non-financial motivation.
At the very end of their report researchers made an assumption about group`s geographical location. However they emphasize it’s always hard to attribute any politically motivated attacks. But one thing they noticed in the course of their research was that one of the tools used in the attack was submitted to VT from Palestine a few months before the group started encryption and public leaks.