Algerian hackers strike back at Morocco over X breach: Learning for CISOs

An Algerian hacker group identifying as Jabaroot initiated a cyber defacement campaign in April 2025 against the website of Morocco's Ministry of Economic Inclusion. The group stated that this act was a retaliation for Moroccan hackers allegedly compromising the X account of the Algeria Press Service (APS). But the Moroccan ministry downplayed the incident, asserting that no sensitive data was compromised. In response, the group published over 3,000 documents, purportedly employee payslips, challenging the ministry's claims.

Source: Resecurity

A step-by-step breakdown of the attack

In early April 2025, tensions in cyberspace between Algerian and Moroccan hacking groups escalated dramatically, culminating in a series of targeted cyberattacks. The catalyst appears to be the alleged compromise of the APS’s X account by Moroccan hackers. In retaliation, a cyber group identifying as Jabaroot launched a coordinated campaign against Moroccan government institutions, including the Ministry of Economic Inclusion and the National Social Security Fund (CNSS). The attackers created a Telegram channel to disseminate their motives and leak data, declaring the APS incident as the primary trigger for their offensive.

Well before the breach occurred, Moroccan cybersecurity expert Hassan Kherjouj raised concerns about vulnerabilities in the ministry’s digital infrastructure. In a detailed Facebook post shared on Apr. 3, 2025, he outlined several critical issues, including:

The critical weaknesses in the ministry's website infrastructure.
Issues within the WordPress configuration, specifically the file public_html/wp-includes/class-wpdb.php, which manages database interactions.
The key threats identified, such as:
- Remote code execution.
- File modifications via malware and backdoors.
- SQL injection attacks.
The observation that even merely revealing the database file’s name posed a serious security risk, as it would greatly ease exploitation for attackers.

Soon after these warnings, Algerian hackers executed a large-scale breach, temporarily disabling access to the ministry’s services. Algerian media claimed that millions of data points were exfiltrated. Investigations revealed that the compromised data was stored on unencrypted and poorly secured servers, allowing unauthorized access to sensitive financial and personal information. Preliminary investigations suggested the leak resulted from hackers bypassing the ministry's security systems.

The cyber offensive by Jabaroot on April 8 marked the beginning of a wave of attacks. In response, Moroccan hacker groups—including Phantom Atlas and Moroccan Cyber Forces, launched counterattacks on April 10. These groups claimed responsibility for breaching Algeria’s Social Security Fund for Postal and Telecommunications Workers, leaking 13–20GB of data, including ID numbers and administrative documents. Additionally, they claim to have accessed internal systems belonging to Algeria's Ministry of Labor.

The conflict didn’t stop there. On April 12, another Moroccan hacktivist group named Evil Morocco announced via Telegram that they had hacked into an Algerian university’s website and leaked academic data. This action is consistent with previous patterns in which hacktivists target educational and governmental platforms, which are typically protected by low- to mid-tier security protocols.

Cybersecurity firm Resecurity confirmed the authenticity of the leaked data, noting that it was not offered for sale, since the the stolen data had been uploaded to an underground forum on the dark web for free , suggesting motives beyond financial gain.

The threat actors leaked the salary records of several government officials, accusing them of attempting to downplay the incident.

Source: Resecurity

After this, the CNSS acknowledged the breach but claimed that many of the leaked documents were "misleading, inaccurate, or incomplete." Also, Morocco's National Control Commission for the Protection of Personal Data pledged to investigate complaints from individuals affected by the leak.

What began as a tit-for-tat cyber retaliation has now evolved into a wider digital skirmish tied closely to regional geopolitical tensions. The breaches have not only exposed glaring vulnerabilities within national systems but also underscored the growing importance of cybersecurity readiness in the face of digital warfare.

What was the impact of the attack?

Here's how the attack affected Morocco's ministries, citizens, and beyond:

The main target of the attack was Morocco's CNSS, which is responsible for managing pensions and insurance for millions. Personal records of thousands of Moroccan citizens have been exposed, including:
- Names, addresses, phone numbers, and emails.
- Salary slips and CNSS salary declaration certificates.
- ID numbers and employment details.
The volume of data exposed is:
- Over 53,000 PDFs.
- A compromised Excel file containing data on nearly 500,000 companies.
- 13–20GB of sensitive data was leaked in retaliatory attacks by Moroccan groups.
The threat actor has leaked a CSV file containing personal information of 1,996,026 employees from various enterprises operating in Morocco. Notably, the CNSS has more than 40,000 reporting companies and over 3.9 million employees in its system; so the data breach could be interpreted as large-scale. High-profile organizations included in the data:
- SIGER, the Moroccan royal family’s holding company.
- Major banks and media outlets.
- The Israeli Liaison Office in Morocco.
This exposed the data of not only citizens but also state-affiliated and international organizations, risking diplomatic and financial fallout.
The Ministry of Economic Inclusion’s digital platform became inaccessible, affecting services relied upon by job seekers, employees, and companies. This hindered day-to-day public service operations. Citizens reported an inability to access services like:
- CNSS account management.
- Salary certificate retrieval.
- Government job applications.
The attack is seen as a digital front of the long-standing political tensions between Algeria and Morocco.
The incident revealed systemic security lapses in Moroccan government institutions. This has undermined citizen trust in the government's ability to protect personal and financial data.

What are the vulnerabilities that led to the attack?

As cybersecurity specialist Kherjouj highlighted in his Facebook post, several critical vulnerabilities existed in the ministry's digital infrastructure. Here are the vulnerabilities that led to the attack:

Unsecured WordPress configuration: The ministry’s website was reportedly running on WordPress, a platform often targeted by attackers if not properly hardened. A major vulnerability was found in the public_html/wp-includes/class-wpdb.php file, which handles database interactions.
Misconfiguration in this file can lead to:
- SQL injection attack.
- Remote code execution.
- Backdoor or file modification.
Exposed database file paths: Kherjouj emphasized that exposing internal file names and structures (such as class-wpdb.php) is a serious danger. The fact that other actors were aware of file paths implies that directory indexing or debugging information was unintentionally disclosed to the public, providing attackers with a path to further compromise.
Lack of data encryption: The breached data was reportedly stored in unencrypted formats. This means that there was no protection at rest, which is a critical security failure for sensitive governmental records.
Delayed response despite early warnings: Although Kherjouj's warning was given five days before the attack, apparently nothing substantial was done to mitigate the vulnerabilities. Since there was no proactive response, attackers were able to take advantage of known vulnerabilities without encountering any resistance.

What are the key lessons for CISOs?

When it comes to cyber readiness, the attacks against Morocco offer a lot of lessons. Here are the key takeaways for CISOs:

Conduct regular vulnerability assessments: Continuously scan and patch public-facing systems like WordPress to eliminate unpatched vulnerabilities and prevent overlooked security gaps.
Adopt secure-by-design development practices: Ensure that all government platforms are built with security integrated from the core, rather than treated as an afterthought during deployment.
Enforce mandatory encryption standards: Implement encryption for all critical databases and data flows—both at rest and in transit—to safeguard sensitive personal and financial information.
Deploy layered, intelligent threat detection: Incorporate application-layer protection and behavioral analytics into your SIEM or security stack to catch sophisticated, multi-stage attacks.
Leverage behavioral analytics for threat detection: Monitor and flag anomalies like large data transfers, off-hour access, or sudden privilege escalations, enabling proactive rather than reactive responses.
Implement role-based access and network segmentation: Limit lateral movement by enforcing micro-segmentation and access control based on user roles and the principle of least privilege.
Establish regular cybersecurity drills: Conduct red-teaming exercises and tabletop simulations to evaluate incident response readiness and improve coordination during real attacks.
Account for geopolitical threats in risk models: Update risk assessments to include politically motivated cyberattacks, especially for the public sector and government-adjacent organizations.
Foster strategic cybersecurity collaboration: Partner with national CERTs, peer agencies, and global threat intelligence communities to gain early warnings and trace cross-border threats.
Promote a culture of shared cyber responsibility: Train end users, developers, and administrators regularly on cybersecurity best practices to build a strong human firewall alongside technical defenses.

Security guidelines CISOs should consider to protect critical data

Here are our policy-making recommendations for CISOs: