10-04-2025
‘Face the Consequences': Moroccan Hackers Strike Back at Algerian Targets
Doha – A Moroccan hacking group called 'Phantom Atlas' has claimed responsibility for launching retaliatory cyberattacks against Algerian government institutions, following a hostile data breach at Morocco's National Social Security Fund (CNSS) by Algerian hackers.
In a message posted on Telegram yesterday, Phantom Atlas announced they had successfully breached the internal systems of Algeria's General Post and Telecommunications Corporation (MGPTT) within 24 hours of the CNSS attack.
The group claimed to have extracted 'over 13 gigabytes of confidential files' containing personal data and 'highly sensitive strategic documents,' with some reports suggesting the stolen data could reach up to 20 gigabytes.
'We are observing. We are capable. Any future act of provocation will be met with a targeted and disproportionate response,' the group warned in their statement, directly addressing the Algerian government.
The Moroccan hackers also claimed to have penetrated the Algerian Ministry of Labor's systems, stating they uncovered documents revealing 'deep structural flaws and chronic mismanagement within key state institutions.'
Phantom Atlas made an explicit reference to the Western Sahara dispute: 'The Moroccan Sahara is not up for debate. It will remain under full Moroccan sovereignty. Morocco will never relinquish a single inch.'
Following attempts by MGPTT Director General Zekri Mahmoud to downplay the breach, they further cautioned this morning: 'To those hiding behind false slogans and trying to mask their failure – the recent leaks are not a simple incident, they are an indirect message. Your attempts to minimize this event will not go unnoticed.'
In a parallel operation, another Moroccan entity identified as 'OPx005' reported executing a large-scale DDoS attack that successfully disrupted multiple Algerian government websites, including those of the Prime Minister's office, Ministry of Foreign Affairs, Ministry of Interior, and Ministry of Defense.
CNSS breach exposes millions of Moroccan employee records
The counterattacks came after the Algerian hacking group 'Jabaroot' breached CNSS systems, reportedly exposing personal data of nearly 2 million Moroccan employees across approximately 500,000 businesses.
The leaked documents allegedly included salary certificates and employee lists from various organizations, including the royal holding SIGER and the Israeli liaison office in Rabat.
In an official statement Wednesday, CNSS acknowledged the breach but claimed that preliminary verification showed the leaked documents were 'often false, inaccurate or truncated.'
The institution confirmed its computer system had been targeted by 'a series of cyberattacks aimed at circumventing security measures.'
'As soon as the data leak was observed, the IT security protocol was activated with corrective measures that contained the path used and strengthened infrastructures,' CNSS stated, adding that measures have been implemented to identify the affected data precisely.
In response, Jabaroot released personal information of CNSS Director General Hassan Boubrik and challenged the institution: 'We are ready to apologize and withdraw all published data if CNSS can prove that even a single document in the leak is false, particularly regarding senior officials' salaries.'
The incident has drawn attention from political figures, with Abdellah Bouanou, head of the Justice and Development Party's (PJD) parliamentary group, calling for enhanced cybersecurity measures across ministerial sectors and public institutions.
The Algerian hackers claimed their initial attack was in retaliation for alleged 'Moroccan harassment of official Algerian social media pages,' specifically citing the suspension of the Algerian Press Service (APS) account on the social media platform X.
Meanwhile, Phantom Atlas concluded their message with a stern warning. 'This is not merely a cyberattack. It is a message of deterrence and defiance. We will not remain silent in the face of aggression,' they vowed.
'Every hostile act against Morocco, its people, or its sovereignty will be answered. This is a show of force, resilience, and strategic reach. You underestimated us. Now you are witnessing the consequences.'
Who is behind the CNSS breach?
A subsequent investigation by Moroccan cybersecurity researchers into the Jabaroot breach uncovered what experts described as a 'Bad OpSec' (Bad Operational Security) mistake that exposed the attacker's identity.
The error occurred when Jabaroot initially forwarded messages from a personal Telegram account with the handle '3N16M4' instead of posting directly to their channel.
Though the messages were quickly deleted and reposted without the forwarding tag, Moroccan researchers had already captured the digital trail.
The investigation traced the handle to a GitHub account belonging to a security engineer named Rachid Mzannar, currently residing in Bochum, Germany.
While the Jabaroot group claimed Algerian origins, forensic analysis of CTF (Capture The Flag) competition records suggested the individual behind the handle was actually from Tunisia.
The investigation team, comprising researchers Edd13Mora, Jakom, 0xPwny, C3poD4Y, ZeroMemoryEx, Tea, and Farisi, noted that while these findings raise questions about the attack's true origins, they remain preliminary and require further verification. Tags: cyberattacksMoroccan hackersThe National Social Security Fund (CNSS)
