Self Assessment

Decoding Cyberattacks on Morocco

Published On : 2024-11-28
Share :
Decoding Cyberattacks on Morocco

EXECUTIVE SUMMARY

This report examines the reasons, impacts, and responses into the recent cyberattacks in Morocco, which some believe could be linked to the long-standing dispute between Morocco and Algeria over the Western Sahara region. As tensions between the two countries escalate, cyberattacks are expected to increase, targeting government websites, critical infrastructure, military sites, and key industries, such as oil and gas. Pro-Israeli hacktivist groups have claimed responsibility for a recent attack, citing Morocco’s support for Palestine as a motivating factor. This surge in cyber threats highlights the urgent need for strengthened cybersecurity measures across all sectors in Morocco.

INTRODUCTION

Recent cyberattacks in Morocco highlight the growing prominence of cyber warfare in modern geopolitical conflicts. In an era where international relations are increasingly complex, digital attacks have become a powerful tool for state and non-state actors to inflict damage and assert influence.
The involvement of a pro-Israel hacktivist group in these incidents illustrates the influential role of non-state actors in shaping the global cyber landscape. Motivated by ideological and political objectives, such groups can carry out impactful cyber operations with far-reaching consequences. The Moroccan cyberattack serves as a stark reminder of the intricate dynamics between state and non-state entities in cyber warfare. This report explores these incidents in further detail.

Key Threat Actors Targeting Morocco

Pro-Algeria Hacktivist Groups:

  • Hacktivist groups like Anonymous Algeria, EvilBbyte, Abdelmomen Astra, and their allies launched attacks in support of Palestine, targeting entities in Morocco during the ongoing Israel-Palestine war.
  • Motives: Support for Palestine and Arab Nations, tensions surrounding the Western Sahara region, and opposition to perceived Israeli influences and alliances.
  • Attack Methods: Various methods including (Distributed Denial of Service) (DDoS) attacks, data theft and leaks, and website defacement.
  • Notable Victims: The National Initiative for Human Development, Morocco Telecom, ADSL of Telecom Morocco, Moroccan Airline, and Moroccan contractor companies.
  • Recent cyber incidents have exposed serious weaknesses in the country’s digital security: in recent weeks, Moroccan Internet providers and users faced a major breach of Remote Desktop Protocol (RDP) systems, while the city of Agadir saw a large-scale cyberattack that affected over 16,000 IP addresses and domains. The decentralized hacker group RCH took credit for the attacks, claiming they were retaliatory actions against Moroccan hackers allegedly targeting Algeria. These events highlight the escalating cyber tensions in the region.

Image: An actor Targets Morocco in Retaliation for a Cyberattack on AlgeriaBreakdown

Image: Hacktivist group targeted Morocco entities during the Israel-Palestine war

Image: Hacktivist group targeted Human Development of Morocco

Breakdown:
The Moroccan online journal Maroc Hebdo confirmed they were targeted by a cyberattack on November 16, 2024, which came shortly after the release of the magazine’s latest issue featuring the cover story ‘Algeria Wants War.’ The cyberattack is believed to be a DDoS originating from Algerian hackers, and it was still ongoing at the time of this report’s publication.

Image: Cyberattack on Maroc Hebdo followed by the publication of provocative headline: Algeria Wants War

Additional Threats:

The cyber threat landscape has seen a significant recent evolution, with advanced threat actors utilizing increasingly sophisticated tactics to target organizations across a wide range of sectors. Notable among these are hacker collectives like ‘Cyb3r Drag0nz’, ‘Team 1919’, and ‘THE NIGHT HUNTERS’, who have emerged as prominent players in the growing wave of cyberattacks against entities in Morocco.

Threat Actor: on October 5, 2024, a threat actor claimed to offer secure transactions for access to one of Morocco’s infrastructure systems, including access to documents and other related assets. Access details are provided, with web access granted upon confirmation of the transaction. The actor instructed interested parties to communicate via Telegram or private message to finalize the terms of the offer.

Image: An actor Offering Web Access to Morocco’s Infrastructure

Threat Actor: This threat actor claimed to have leaked a sample database associated with Résidences Universitaires Al Massira (ruam[.]ma) and the Ministry of National Education. The leaked database from the Ministry of National Education contains login details for 30,000 students.

Image: An actor leaked a sample database from the Ministry of National Education and Pre-School Education

Image: An actor leaked a sample database from Résidences Universitaires Al Massira

STORMOUS Ransomware: Last year, the group claimed to sell unauthorized VPN access to Inwi, a telecommunications company based in Morocco. The access allegedly enables bypassing of all security measures, including firewalls and intrusion detection systems, providing entry to the entire network. Additionally, the threat actor employs advanced encryption methods to secure communications, ensuring that access remains strong and resilient against detection attempts.

Image: Stormous Ransomware group selling unauthorized VPN Access to INWI

Based on our analysis, we have created a pie chart depicting ransomware attacks observed in Morocco between 2023–2024.

Image: Pie-chart analysis for ransomware attacks in Morocco

Advanced Cyber Threats

Phishing Campaigns

  • In Morocco, multiple sophisticated phishing campaigns have been detected this year, likely due to the ongoing, long-standing dispute between Morocco and Algeria.
  • A new threat actor ‘Starry Addax’ has been targeting human rights activists in Morocco and Western Sahara using phishing attacks to install malicious Android apps and harvest credentials from Windows users.
  • Researchers are tracking this group, which has been active since January 2024, focusing on activists linked to the Sahrawi Arab Democratic Republic (SADR).
  • Starry Addax uses fake apps and phishing sites to trick victims into downloading malware, including ‘FlexStarling’, a versatile Android Trojan that steals sensitive information and allows the attacker to control infected devices.
  • The group’s operations appear highly targeted and designed to remain undetected, highlighting a growing threat to activists in politically sensitive regions.

Geopolitics:

The relationship between Morocco and Algeria has been historically tense, with ongoing disputes over territory and resources and contention over regional dominance. This tension has spilled over into the cyber domain, with both countries accusing each other of cyberattacks on numerous occasions. The strained relationship between Morocco and Algeria has significant cybersecurity implications and has caused Algeria to be a target for years.

The ongoing tensions create an environment where cyberattacks are more likely to occur, as Algeria will seek any coverts means including in the fifth domain to gain an advantage, increasing the risk of disruptive attacks targeting critical infrastructure, government systems, and private sector entities in Morocco. The cyberattacks also have the potential to escalate, leading to a broader cyber conflict with potentially severe consequences for Morocco’s digital infrastructure and economy.

Recommendations:

The threat actors leveraged sophisticated tools and techniques to target Moroccan companies. The primary attack methods used in these cyberattacks included DDoS attacks, web defacement, and ransomware attacks. Below are a few key recommendations that will help to prevent such attacks.

  • Implement multi-layered DDoS protection for all critical systems and accounts.
  • Understand the warning signs of DDoS attacks, such as unusually high traffic volume, network connectivity issues, irregular log entries, and system crashes.
  • Utilize endpoint detection and response tools to monitor and respond to threats in real time.
  • Deploy a reputable anti-malware solution and VPN to prevent from becoming part of a botnet.
  • Integrate the CAPTCHA challenge as part of a DDoS defense strategy that helps mitigate potential risks.
  • Segment networks to limit the spread of malware and restrict access to sensitive information.
  • Limit the privileged or administrative access to websites and sensitive information.
  • Regularly scan websites for vulnerabilities to improve security and reduce the risk of penetration and defacement.
  • Implement strict access controls and network policies.
  • Assess the security practices of third-party vendors and partners.
  • Include cybersecurity requirements in contracts and conduct regular audits of third-party compliance.

Conclusion

The ongoing cyberattacks against Morocco have targeted various entities across the country, disrupting critical sectors. In response, several cyber threat groups – including the Moroccan Black Army, Moroccan Cyber Forces, Moroccan Soldiers, Moroccan CyberAliens, and Moroccan Dragons (along with their allies) – have escalated their operations, launching retaliatory attacks against Algeria and other pro-Israel nations. This wave of cyber activity appears to be driven by geopolitical tensions. The result of this assessment may encourage the victim country to prioritize and allocate resources to address cybercrime, thereby strengthening their safety measures.