OSINT

In April 2025, Morocco's Caisse Nationale de Sécurité Sociale (CNSS) experienced a major data breach by the hacker group 'Jabaroot DZ,' exposing sensitive information of around 2 million employees and 500,000 companies. The attack was reportedly a retaliation for alleged Moroccan cyber activities against Algeria, highlighting the rising cyber tensions between the two nations. The CNSS has initiated an internal investigation and enhanced security measures in response to the breach.

Uploaded by

qdavi9257

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

297 views3 pages

OSINT

Uploaded by

qdavi9257

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 3

CNSS Data Breach (April 2025)

by : Derrar Chakib
1.Executive Summary:

In April 2025, Morocco's Caisse Nationale de Sécurité Sociale (CNSS) suffered a

significant cyberattack attributed to the hacker group "Jabaroot DZ." The breach
resulted in the exposure of sensitive data for approximately 2 million employees and
500,000 companies. The attackers claimed the operation was retaliation for alleged
Moroccan cyber activities against Algerian institutions. This incident underscores the
escalating cyber tensions between Morocco and Algeria and highlights vulnerabilities
in national cybersecurity infrastructures.

2.Incident:

➔ Date of Breach Announcement: April 8, 2025

➔ Threat Actor: "Jabaroot DZ"
➔ Affected Institution: Caisse Nationale de Sécurité Sociale (CNSS), Morocco
➔ Data Leaked:
◆ Approximately 53,574 PDF files containing employee salary
information
◆ CSV files with details on nearly 500,000 companies and 1.9 million
employees

➔ Dissemination Platforms: Telegram, BreachForums

➔ Motivation: Retaliation for alleged Moroccan cyberattacks on Algerian
entities
➔ Official Response: CNSS acknowledged the breach, initiated an internal
investigation, and implemented enhanced security measures. The National
Commission for the Protection of Personal Data (CNDP) expressed readiness
to investigate complaints from affected individuals.

3.Threat Actor Profile: "Jabaroot DZ"

"Jabaroot DZ" is a hacker group that emerged on April 8, 2025, claiming

responsibility for the CNSS breach. Open-source intelligence suggests the group
may be based in Algeria, with potential links to the broader geopolitical tensions
between Morocco and Algeria. The group disseminated the leaked data via Telegram
and BreachForums, rapidly gaining attention and followers. Their stated motivation
was to retaliate against Moroccan cyber activities targeting Algerian institutions,
including the alleged hacking of the Algerian Press Service's Twitter account.
4.Geopolitical Context:

The breach is set against a backdrop of escalating tensions between Morocco and
Algeria, particularly over the Western Sahara dispute. The threat actor cited the
hacking of the Algerian Press Service's Twitter account, allegedly by Moroccan
actors, as a catalyst for the CNSS breach. This incident underscores the increasing
use of cyberattacks as instruments of geopolitical conflict.

5. OSINT Investigation :
findings on the IP address 158.220.107.208, which is potentially linked to the
recent malicious activity:

The IP is hosted by a provider (Contabo) frequently abused for:

➔ C2 servers
➔ Web defacement
➔ Phishing/malware delivery
➔ Data leaks
No immediate evidence of blacklisting or VT flags, but active scanning and pivoting
with domain/IP correlations are needed.
If linked to the Jabaroot DZ group, it could be:
➔ A temporary staging ground for CNSS data leaks
➔ Hosting exploit frameworks (Metasploit, Empire, Cobalt Strike)
➔ Part of a pivot chain (reverse shell callbacks)