Cyberlands.io - API Penetration Testing

Top-9 Cybersecurity Breaches in Saudi Arabia

Learn about the state of cybersecurity in Saudi Arabia and the 9 biggest breaches in this country.
As technology progresses, more countries become aware of how essential cybersecurity is. Around 44 cyberattacks are happening every minute, no matter whether the target is an individual or a business, big enterprise or small company. If organizations want their employees, citizens, or customers to be safe, physical security is not the only thing that they should be investing in.

Saudi Arabia is one of the countries that take cybersecurity seriously: they came second in the global ranking of the countries' commitment to cybersecurity. It is the country with 22,5 million cyberattacks per year too so they had to introduce numerous cybersecurity programs, training, and education resources. They continuously expand their cybersecurity capabilities as well.

Yet, some companies still ignore security and fall victim to cyberattacks. We have found the top 9 cybersecurity breaches in Saudi Arabia and what we can learn from them.
#1 Caller ID App Dali Exposed Data of More Than 5 Million Users
Dalil - Caller ID is a popular Saudi app for finding and identifying telephone numbers and reporting suspicious ones. It is mostly used to avoid scammers. It has more than 5 million downloads and is the 13th most popular communication app in Saudi Arabia.

The MongoDB database of the app was misconfigured and, therefore, was publically accessible. Anyone who wanted to see the database could find names, gender, email addresses, professions, mobile numbers, IP addresses, SIM cards, device info, GPS locations. There were more than 585 GB of data.

vpnMentor team was the one to find the openly accessible database. They reported it to the company and later posted a report on their website. However, they also found ransomware that was actively encrypting data, meaning that someone was trying to profit off the stolen data.

Developers were not noticing the issue and even did not notice the ransomware note that someone left behind. It shows that developers probably left the project on autopilot and did not care about the security as much as they should have.
#2 Database of the King Saud University Was Hacked
King Saud University is the first university in Saudi Arabia and one of the most prestigious ones. They have around 40,000 students and such notable alumni as the crown prince of Saudi Arabia, Saudi Arabia's Permanent Delegate to UNESCO, etc.

So you may think that the databases of this university should be protected. As it turns out, it is not as flawless. The official website of KSU was hacked by a hacker Yourikan. They stole data from more than 800 users, among them both staff and students. The data included names, email addresses, mobile phones, and passwords. The hacker dumped the data on the Internet but encouraged students to change their passwords since some of the names, emails, and passwords matched profiles on other websites, like Facebook or emails. Yourikan also claimed to have financial information but decided to avoid publishing it since he is a white-hat hacker and just wanted to point out how not secure the systems in the country are.
#3 Hackers Have Stolen the Users-Related Data of Telecommunication Company Virgin Mobile
Virgin Mobile is a telecommunication company that offers its services in over 13 countries, Saudi Arabia among them. In the country, they have more than 20,000 points of sale.

In 2020, hackers got into the Virgin Mobile KSA system, stole data, and offered it on the dark web for sale. Users could buy emails of employees, activation reports, account managers' performance, and a list of 1,000 users which included usernames, employee names, email addresses.

Security researchers found the data and notified the company. Virgin Mobile claimed that it was the problem of Microsoft Exchange that was fixed afterward. However, cybersecurity experts are sure that the service could not have contained the stolen data, there should have been numerous security problems that allowed hackers to obtain emails and customer information. Others claim that Virgin Mobile failed to patch the problem in Microsoft Exchange, even though they knew about it. They just did not want the productivity to drop. The case clearly shows how cybersecurity may not have immediate positive results but they always prove to be more important in the long run.
#4 Records of Healthcare Benefits Management Firm GlobeMed Saudi Got Compromised
GlobeMed Saudi offers support to insurance companies in Saudi Arabia, including international health services, providers' network management, approvals and claims processing, customer services, and business intelligence services.

In 2021, it was breached by Xing Team, a data leak website for healthcare information. Hackers obtained 201GB of data and published half of it on the website. There were patient names, numbers, credit cards, the diagnosis on admission, results of tests for Corona, medical records, and notes on patient conditions.

The security team received information about the breach very late since the email with details has gotten into the spam folder. Afterward, they promptly rolled out an incident response plan and secured all the systems. They also contacted affected patients and KSA authorities to inform them about the incident.
#5 Saudi Arabian Monetary Agency Hit By Shamoon Malware
The Saudi Arabian Monetary Agency is the central bank of Saudi Arabia. It issues the national currency, supervises commercial banks, manages currency exchange reserves, and maintains price stability.

Their systems were hit by Iran state-sponsored hackers. They used the signature Shamoon malware that simply destroys the computers, wiping clean its disks and making computers inoperable. It has also targeted the General Authority of Civil Aviation and the Ministry of Transportation and at least 4 other governmental bodies. The General Authority of Civil Aviation has suffered the most: the virus deleted critical data and all the operations within the authority had to be stopped for several days.

The hackers have stolen some of the governmental employees' passwords to let the virus in. It is still unknown how they managed to do that. They launched Shamoon at the end of the business week so that as many computers could be affected as possible.
#6 Hackers Demand $50 Million from World's Largest Oil Producer Saudi Aramco
Saudi Aramco is the biggest oil company on the planet. It specializes in the exploration, production, transportation, and refining of oil and associated gas. It has almost 67,000 employees and $49 billion of annual net profit.

In 2021, it was hit by a massive cyberattack. They leaked the data of third-party contractors, it is not known who exactly was affected. The hackers have downloaded 1 terabyte of data and placed it on the darknet, demanding $50 million in cryptocurrency for deleting it. Some of the experts say that the company was well behind in cybersecurity for years.

It was not the first time the company was badly hit by a cyberattack. In 2012, they also suffered from the Shamoon virus. The hacker group called "The Cutting Sword of Justice" sent a phishing email with the virus and one of the employees opened it and let it into the system. Around 30,000 computers were destroyed within a couple of hours. It took the company more than a week to go back to normal functioning.
#7 Cyber Attack on Saudi Petrochemical Plant
In 2017, there was a cybersecurity incident on a petrochemical plant in Saudi Arabia that could have dangerous physical consequences. Hackers launched malware that was sent to not only shut down the power plant but cause an explosion. The only reason why the tragedy did not happen was a small mistake in the malware code.

The malware of this scale was possibly state-sponsored since it needed a lot of sophistication and mastermind involvement. Even though the plant did not explode, it showed how cyberattacks may cause real physical damage. It alerted all firms and encouraged them to review their cybersecurity efforts.
#8 Hacking and Defacing the Website of Davos in the Desert
Davos in the Desert is an annual Future Investment Initiative. The summit is aimed at attracting investors and leaving the country's dependence on petroleum products behind. The governmental officials and CEOs of big enterprises are usually among the guests.

In 2018, the official website of the summit was hacked. Instead of the usual homepage, there was a picture of the murdered Saudi journalist and Saudi's crown prince, the actual ruler of the country, with a sword. There were also written accusations of the Kingdom with barbaric and inhuman actions and sensitive information about government employees and seniors in state-sponsored companies.

The website was quickly taken down. However, countries still opted to send lower-level executives or not go at all because of the incident with a killed journalist and the security threat.
#9 The Tortoiseshell Group Attacked Major Saudi IT Firms
The Tortoiseshell Group is a threat group. They launched attacks on mostly Saudi IT firms in 2019 since they wanted to get to IT service providers' clients. Around 11 firms suffered the attack, and in some cases, hackers were able to get admin-level control and access over the companies.

The group uses custom and already known malware. Their unique tool is Backdoor.Syskit which installs itself and sends the machine's IP address, operating system name, and version, Mac address to attackers via link. The latter can either delete, upload, or unzip the data.
Conclusion
Saudi Arabia's cases have a lot of unique knowledge to offer. There are cases when productivity drop caused by security patching is far less damaging than the possibility of a data leak and there are planned attacks with a state-sponsored virus that can wipe away critical information in the governmental bodies. However, one of the most astonishing incidents has happened on the petrochemical plant where we see how real cybersecurity threats are.

The cases vividly depict how important cybersecurity efforts are, both for physical and digital safety.
Cyberlands.io Team