Saudi Arabia MOFA Breach

1 July 2015

Introduction

As of April 2015 there were more than 270 breaches reported that exposed an estimated 102,372,157 records. Those are staggering numbers.

Last week, we wrote about the now infamous Adult Friend Finder breach how the nature of the data contained within that breach made it a highly sensitive occurrence.  In the case of this breach, the investigation is ongoing and will likely be for sometime, since the alleged attacker in that case took to the dark web to voice his dispute with the owners of the site and eventually posted a large cache of data.

The motives in the Adult Friend Finder breach were rooted in revenge and extortion. This week we’ll address another breach that occurred around the same time, which was equally sensitive but for different reasons. Unlike the Adult Friend Finder, this breach saw very sensitive and, in some cases, classified nation state information leaked to the public. In this case the victim wasn’t a website or another form of consumer site. It was the government of the Kingdom of Saudi Arabia. 

Origins

The trouble began in April of 2015 when al-Hayat, a leading pan-Arab news outlet and paper with a circulation estimated at over 200,000, was hacked and defaced as a part of #OpSaudi. Al-Hayat is known for its Pro-Saudi stance, which may have influenced the attack. The image that was left on the site featured anti-Israeli and anti-American rhetoric and a warning to the enemies of Yemen and the supporters of the Kingdom of Saudi Arabia

The group that claimed responsibility for the al-Hayat attack was the same group who claimed responsibility in the breach that affected the Saudi Ministry of Foreign Affairs (MOFA), the Yemen Cyber Army. It is unclear at this time when the breach occurred however, early coverage of the breach was noted on online news sources such as this one.  Following suit, on May 21, 2015, an anonymous individual or group of individuals posted the following to Twitter via the hxxp://www.quickleak.org site: 

quickleak

The Yemen Cyber Army’s reason for conducting the attack against the Saudi Arabian MOFA was based on Saudi Arabia’s involvement with the conflicts in Yemen. The Yemen Cyber Army is a relatively new threat actor group. Some of the first known instances of activity attributed to the Yemen Cyber Army occurred in February 2012. This activity involved website defacement and messaging. At the time of this writing there are several theories being discussed within the research community regarding the identity of the actor or actors involved in the Yemen Cyber Army. Some argue that this is the work of one individual who is whose political and activist activities have varied over the last three years. It’s important to note that at this time no one has come forth, in an official or unofficial capacity with information describing how the breach was executed in detail. We do not know if those details are being suppressed at this time. 

What Was Stolen and Disclosed To The Public

The Yemen Cyber Army has been quite vocal about what it has stolen and what it has access to. The threat actor group has claimed to steal a vast amount of data and in truth the data has been leaked up to this point in time has been alarming. Much of the data is of a very sensitive nature. Information pertaining to e-mails belonging to top Saudi diplomats, Foreign Ministry staff, Intelligence Community members, and military personnel. Additionally, many classified documents and communications between Saudi officials and other governments dating back to the early 1980s was disclosed. Additionally, all subdomains and servers related to the MOFA as well as the private information belonging to 30,000 citizens and 11,000 MOFA personal was taken and posted online. The threat actors left a message on the compromised hosts in the Saudi Arabia MOFA network. This image depicts what the Yemen Cyber Army left behind:

mofa cyber army

Conclusion

At the time of this writing, the actions of the Yemen Cyber Army continue to indicate that it is an agenda driven, politically motivated threat actor. The actions taken by the Yemen Cyber Army indicate that they believe they are justified in attack the Kingdom of Saudi Arabia for its involvement in the military conflicts in Yemen. What remains unclear is the true identity of the threat actor or actors participating in the Yemen Cyber Army, the vulnerabilities that they exploited to gain access the infrastructure controlled by the Saudi Arabia MOFA, and the TTPs associated with the threat actor group. It is our belief that until more information is made available it will be extremely difficult to conduct deeper analysis of this breach.

On Saturday May 23, 2015 the Iranian website http://www.presstv.ir ran a story that asserted that the Saudi Arabian media had confirmed the breach occurred after speaking with Osama bin Ahmad al-Sanousi, a senior official at the Kingdom of Saudi Arabia’s Foreign Ministry. The Saudi spokesman is reported to have downplayed the seriousness of the attack calling it “limited.” The world will have to wait patiently for more details to be divulged in this case. Saudi Arabian officials should act swiftly in assessing the MOFA environment and assets by conducting incident response and forensic analysis.