Introduction

Recently we wrote about the initial breach of the Ministry of Foreign Affairs of the Kingdom of Saudi Arabia (KSA).  We felt like this was noteworthy for several reasons:

  1. It was not a private corporation; it was a nation state
  2. It was ally of many nations in the Western world including the United States and the United Kingdom
  3. The alleged attacker was bold in taking responsibility for the breach (e.g. posted on social media and paste accounts both claims of responsibility and evidence in the form of data)
  4. There was almost no Western coverage of the breach whatsoever (up until recently)

The Breach and the Yemen Cyber Army

The breach of the Ministry of Foreign Affairs (MOFA) of the Kingdom of Saudi Arabia (KSA) was made public on 21 May, 2015.  The alleged attackers claimed to have compromised over 3,000 computers and servers belonging to the Ministry of Foreign Affairs along with the personal and secret data of “…hundreds of thousands of their staff and diplomats in different missions around the world.”

The group who allegedly assumed responsibility for this breach was the Yemen Cyber Army (YCA).  The Yemen Cyber Army’s origins are the subject of much debate. In addition to its origins being questioned so are its membership and its political affiliations. The group first appeared in 2011 and was actively involved in defacements and other miscreant activity through 2013 and resurfaced in early 2015. Open source intelligence analysis suggests that there are multiple individuals involved with the group and that these individuals work in concert to promote the group’s activities.

Digital Shadows (now ReliaQuest) Analysis of the Yemen Cyber Army

Digital Shadows (now ReliaQuest) has conducted extensive research into the Yemen Cyber Army. We’ve studied its use of social media and other outlets of communication.  The content that they have generated and promoted through these social media channels (e.g. various parties Twitter accounts, Facebook accounts, Pastebin and other paste sites etc.), suggest that the group has shifted its ideologies since its inception in 2011, moving away from its condemnation of the Yemeni based Islamic Shiite movement, Houthis and their allies, to a more supportive position of the movement in 2015. There are likely several reasons that this shift has occurred. We believe that these reasons may include the following:

1.    There was a fundamental shift in membership within the group.

No one knows for certain how many active or historical participants are or were a part of the Yemen Cyber Army (YCA) however; we do have a credible understanding of the messaging and patterns of language, including rhetoric and slang that they have used over time. This insight has helped us formulate opinions based on the information we have at our disposal.  It should be noted that these patterns have changed over time and those changes support the idea that there has been a fundamental shift in membership and / or ideology within the group.

2.    There are multiple people, groups and / or proxies operating under the name “Yemen Cyber Army”.

We believe that this is possible and highly likely due to the fact that there has been an ideological shift within the group in addition to changes in their messaging and rhetoric. Additionally, there has been an evolution in their capabilities that suggests that their current capabilities differ significantly from the capabilities first observed between 2011 and 2013.  This evolution has seen the group move from simple website defacements to large-scale breaches which demonstrates significant growth of technical capability.

YCA

Figure 1: Yemen Cyber Army Facebook Page

We believe that it is also possible that there are multiple people, groups and / or proxies operating under the name “ Yemen Cyber Army”.  If this is the case it may explain why it appears that their capabilities have matured demonstratively in recent history versus the capabilities they demonstrated in the past. Additionally, it may also explain the shift in political ideology noted above with respect to the Yemen Islamic Shiite movement. This hypothesis correlates with those held by other research organizations which suggest that a nation state such as Iran may be supporting or driving the actions of the Yemen Cyber Army. There are several notable observables tied to this belief including the initial news coverage of the breach of the Ministry of Foreign Affairs (MOFA) of the Kingdom of Saudi Arabia (KSA) was provided by the FARS news agency (a news agency located in Iran).  However, it should be noted that there is no concrete evidence available at this time that ties Iran to the activities associated with the Yemen Cyber Army. Though rooted in conjecture it is important to note and recognize this possibility, as it would not be the first time a nation state has used an otherwise independent organization as a proxy for its actions. Other theories exist with respect to the Yemen Cyber Army and potential ties to other groups. Such theories include the idea that the YCA was in fact involved with a Pakistani hacking group known as the ‘Hex Hackers’ however, this has yet to be substantiated.

Conclusion

What then can we conclude with respect to the Yemen Cyber Army, its activity, and its membership?  We can conclude that the Yemen Cyber Army has undergone fundamental changes to its philosophical and / or ideological leanings in recent years that have accompanied a perceived increase in cyber capabilities of the group. Whether this is due to an influx of new members, the maturing of legacy members, or presence of another group working within or under the guise of the Yemen Cyber Army is unknown.

We can also conclude that in all cases where attribution is a compelling factor for identifying threat actors with certainty that the race to discover, expose, and identify the “real” threat actors will continue for the foreseeable future.  Furthermore, we can conclude that if it is in fact the case that a nation state such as Iran was involved in either the support or active proxying of the Yemen Cyber Army (YCA) that it would attract the attention of not only the Kingdom of Saudi Arabia (KSA), but of its allies as well. For the moment, we must wait for more information to come to light as the Kingdom of Saudi Arabia (KSA) continues its investigation into this case.  If they decide to divulge and share more information related to the breach perhaps we will have a better idea of who is truly responsible for the actions taken against them and for what reason.

For more information regarding the breach and the Yemen Cyber Army please visit the Digital Shadows (now ReliaQuest) portal.