The Flood: Moses Staff

Threat Intelligence Tarot

wands · 2

Iran (IRGC-linked)

★★★★★

risk 4/5

✦ The Flood ✦

Moses Staff

Abraham's Ax

IsraelIsraeli governmentIsraeli defenseIsraeli financial sector

Active since ~2021 · Israeli government disruption, Leak-and-destroy operations, Psychological warfare

Moses Staff takes what it finds, publishes it to embarrass, then destroys the systems it came from. It is a weapon designed for humiliation as much as harm - the stolen document, the leaked database, the encrypted server. The Flood leaves nothing clean.

Tactics & Techniques

RCN

RDV

INI

EXC

PRS

PRV

EVA

CRD

DSC

LAT

COL

EXF

IMP

T1485

Data Destruction

Impact

T1486

Data Encrypted for Impact

Impact

T1565

Data Manipulation

Impact

T1190

Exploit Public-Facing Application

Initial Access

T1491

Defacement

Impact

Notable Operations

◆Israeli government data leaks paired with encryption attacks
◆Bait-and-release: exfiltrate, then destroy, then publish
◆ProxyShell exploitation for initial access into Israeli networks
◆Claimed access to Israeli defense infrastructure (2021–2022)

Defenses

▸
Patch management prioritizing internet-facing Exchange and IIS
CIS Control 7 ↗
▸
Immutable backup systems geographically isolated
CIS Control 11 ↗
▸
Data loss prevention and exfiltration monitoring
NIST CSF: PR.DS ↗
▸
Crisis communications plan for data leak scenarios
NIST CSF: RC.CO ↗

Reversed: Their Weakness

Moses Staff's combination of espionage and destruction operations muddies attribution - the simultaneous leak-and-destroy approach means victims must simultaneously do breach response, incident response, and public communications, stretching defensive resources dangerously thin.

Share this adversary profile

Compare →

← → arrow keys to browse

swipe to browse

← PreviousThe Arsonist Next →The Wrench

Related Adversaries

Data sourced from MITRE ATT&CK. For educational purposes.