Abraham's Ax appears to be a "one and done" operation. Based on multiple characteristics of the extortion link site, the operators seem to be linked to Moses Staff, an Iranian hacktivist group. Researchers from IBM highlighted all of the similarities between the groups, which is further attributed to an entity dubbed COBALT SAPLING. Since these groups are allegedly the same threat actors, they subsequently use the same tactics, techniques, and procedures (TTPs). The group leverages a remote access trojan (RAT) called StrifeWater RAT, which allows them to send remote commands and deploy what we can assume is ransomware. Although, there is no evidence of ransomware ever being deployed. Hence, there is no ransomware-specific information in the detailed view, and the group is labeled as a Data Broker. The group is most known for breaching the Saudi Arabian Ministry of Interior in November 2022. They posted this agency on their double extortion page, which they have on TOR and the clear web. Aside from the fact that these threat actors are just a spinoff of Moses Staff, not much is known of the group besides this one attack.
|Industry Sector||Country||Extortion Date||Amount (USD)|