{
	"id": "ea9c6d80-bf56-4e1b-ae4d-ffe3eac2f965",
	"created_at": "2026-04-06T00:19:06.990936Z",
	"updated_at": "2026-04-10T03:33:36.473716Z",
	"deleted_at": null,
	"sha1_hash": "abb0f2de2563ec5d3db160d96f9d992940e2826e",
	"title": "Resecurity | Cybercriminals Attacked National Social Security Fund of Morocco - Millions of Digital Identities at Risk of Data Breach",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3650419,
	"plain_text": "Resecurity | Cybercriminals Attacked National Social Security\r\nFund of Morocco - Millions of Digital Identities at Risk of Data\r\nBreach\r\nPublished: 2025-04-09 · Archived: 2026-04-02 10:50:47 UTC\r\nIntroduction\r\nResecurity has identified a threat actor targeting government systems in Morocco to exfiltrate large volumes of\r\nsensitive data relating to citizens. Using the alias 'Jabaroot,' the actor released claims about the successful\r\ncompromise of the National Social Security Fund of Morocco (CNSS). The motive behind the data breach\r\nremains unclear, but the scale of compromise already generated attention across the region's cybersecurity\r\ncommunity and privacy experts. The breach could be interpreted as Morocco's most significant cyber-attack by\r\nseveral victims (consumers).\r\nThe Morocco National Social Security Fund (CNSS), or Caisse Nationale de Sécurité Sociale, is a public\r\ninstitution responsible for managing the compulsory social security plan for salaried employees in Morocco's\r\nprivate sector, covering healthcare, disability, and retirement benefits. Like organizations in the US and EU, such\r\nfunds store a significant amount of digital identity information relating to citizens. A data breach of such scale will\r\nlikely have a negative, long-lasting impact on citizens' data that could create risks of fraud and identity theft. The\r\nCNSS is the primary social security administrative body in Morocco. Established in 1961 to replace the Caisse\r\nd'Aide Sociale (initially established in 1942), CNSS has played an essential role in the social protection of private\r\nsector workers.\r\nWhat it covers:\r\nHealthcare:\r\nProvides access to hospitalization, medical services, and other treatments for insured individuals and their\r\ndependents.\r\nPension:\r\nResponsible for the pension system, providing retirement benefits to eligible individuals.\r\nUnemployment:\r\nAdministers unemployment benefits, providing financial support to eligible individuals who lose their jobs.\r\nOther benefits:\r\nThe CNSS also provides benefits for maternity, disabilities, family allowances, death grants, and survivor's\r\npensions.\r\nCybercriminal or Espionage Narrative\r\nhttps://www.resecurity.com/blog/article/cybercriminals-attacked-national-social-security-fund-of-morocco-millions-of-digital-identities-at-risk-of-data-breach\r\nPage 1 of 8\n\nApril 8, 2025 - An actor has leaked a massive volume of stolen data in CSV and PDF files. The data has been\r\npublished on one of the prominent underground forums on the Dark Web. Interestingly, the actor has never offered\r\nthis data for sale and did not attempt to monetize it privately. According to inside information, the actor could\r\nhave tried to receive a ransom payment from the government, but his demands have never been met.\r\nOn the other hand, such tactics are also typical for advanced espionage groups targeting governmental agencies.\r\nTo avoid attribution, such actors prefer to operate under the guise of cybercriminal motives as hacktivists.\r\nResecurity is investigating the incident in collaboration with law enforcement to determine the possible\r\ncircumstances of this data breach.\r\nResecurity has acquired the data and alerted its customers so they can validate its authenticity. The feedback\r\ncollected confirmed that the data was valid, leaving the affected victims concerned that their Personally\r\nIdentifiable Information (PII) had become public due to a breach of the governmental agency. Notably, none of\r\nthem has received any notification from the regulators or the affected party, which raises specific concerns about\r\nthe coordination and transparency of data breach disclosure and consumer rights advocacy.\r\nhttps://www.resecurity.com/blog/article/cybercriminals-attacked-national-social-security-fund-of-morocco-millions-of-digital-identities-at-risk-of-data-breach\r\nPage 2 of 8\n\nThe actor has created a Telegram channel where, as the main motive of his attack, he outlined the compromise of\r\nthe Twitter account of the Algerian Press Service (APS) by Moroccan hackers. The conflict in cyberspace between\r\nAlgerian and Moroccan hacking groups is well-known, which could also be one of the reasons behind this activity.\r\nhttps://www.resecurity.com/blog/article/cybercriminals-attacked-national-social-security-fund-of-morocco-millions-of-digital-identities-at-risk-of-data-breach\r\nPage 3 of 8\n\nThe actor also leaked the salary information of several government officials, accusing them of downplaying the\r\nincident.\r\nThe Scope of the Data Breach\r\nThe threat actor has leaked a CSV file containing personal information about 1,996,026 employees from various\r\nenterprises operating in Morocco. Notably, the CNSS has presumably more than 40,000 reporting companies and\r\nover 3.9 million employees in its system, so the data breach could be interpreted as large-scale. This leaked data\r\nshould also concern the employee’s employers, the employees, and various commercial and governmental\r\nagencies, as bad actors can use it for dubious actions, including being used in a social engineering campaign to\r\nbreach the employee’s employer or to compromise the user’s accounts on various Internet services.\r\nThe stolen dataset was included in a 7z archive with timestamps from November 29, 2024. It is unclear whether\r\nthe actual date of the incident is from last year, and the actor may not have been willing to publish it earlier to\r\nbenefit from acquiring this data exclusively but later decided to leak it.\r\nhttps://www.resecurity.com/blog/article/cybercriminals-attacked-national-social-security-fund-of-morocco-millions-of-digital-identities-at-risk-of-data-breach\r\nPage 4 of 8\n\nThe leaked data includes files related to enterprises and individuals, reporting their salaries and associated\r\npersonally identifiable information (PII) details.\r\n- enterprises\r\ncompanyName\r\naffiliateNumber\r\ndateAdhesion\r\ndateAffiliation\r\ntypeAdherent,\r\ncompanyNameMandataire,\r\naffiliateNumberMandataire,\r\nmodaliteTelepaiement,\r\nagence,\r\ndirectionRegionale,\r\nadmin_firstName,\r\nadmin_lastName,\r\nadmin_cin,\r\nadmin_email,\r\nadmin_phoneNumber,\r\nadmin_isRL,\r\nbank_accountId,\r\nbank_bankCode,\r\nbank_adherent_id,\r\nbank_adherent_numAffilie\r\nbank_adherent_typeAdherent\r\nbank_adherent_modaliteTelepaiement\r\nbank_adherent_adherentMandataire\r\nbank_adherent_raisonSocial,\r\nbank_accountState,\r\nbank_accountDefaultState,\r\nbank_dateCreation\r\nbank_accountRIB\r\n- individuals\r\nID_adherent,\r\nnewImmatriculatedId,\r\nfirstName,\r\nlastName,\r\nimmatriculationNumber,\r\ncin,\r\npassportNumber,\r\nresidenceNumber,\r\ncreationDate,\r\nhttps://www.resecurity.com/blog/article/cybercriminals-attacked-national-social-security-fund-of-morocco-millions-of-digital-identities-at-risk-of-data-breach\r\nPage 5 of 8\n\ndemandMode,\r\naffiliateName,\r\naffiliateNumber,\r\ndemandState\r\nThe negative side effect of this data breach is the disclosure of citizens' passports, emails, salaries, and banking\r\ninformation. Fraudsters are exploiting such data for online banking theft via social engineering, and the victims\r\nhave a challenging time protecting themselves against it. They will have to replace their documents, which is not\r\nalways practical or technically feasible.\r\nThe data breach also affected government employees. Representatives of the multiple government agencies in\r\nMorocco have been identified in the leak.\r\nhttps://www.resecurity.com/blog/article/cybercriminals-attacked-national-social-security-fund-of-morocco-millions-of-digital-identities-at-risk-of-data-breach\r\nPage 6 of 8\n\nVictims include employees of the Moroccan Agency for Investment and Export Development (AMDIE), the\r\nMinistry of Economy and Finance, the Ministry of Health, the National Agency for the Promotion of Small and\r\nSmall Businesses (Maroc PME), the Moroccan Pension Fund, the General Treasury of the Kingdom, ONSSA—\r\nthe National Office for Product Safety, and other agencies.\r\nThe breach affects entities in Morocco and poses a risk for foreign companies operating in the country, as multiple\r\nbranches of EU-based companies have been identified in the leaked data.\r\nThe impacted companies include entities operating in various fields, including but not limited to:\r\nAviation\r\nGovernment\r\nFinancial institutions\r\nhttps://www.resecurity.com/blog/article/cybercriminals-attacked-national-social-security-fund-of-morocco-millions-of-digital-identities-at-risk-of-data-breach\r\nPage 7 of 8\n\nEnergy\r\nUtilities\r\nLogistics\r\nTechnology\r\nOil \u0026 Gas\r\nSignificance\r\nNotably, almost 2 years ago, Morocco’s National Social Security Fund (CNSS) issued an official statement\r\nalerting individuals about the danger of disclosing their personal information to unreliable sources, as it can be\r\nexploited for fraudulent purposes.\r\nThe statement noted that the CNSS “disassociates itself from individuals who have contacted several citizens\r\nimpersonating representatives of the fund, demanding their banking information.”\r\nIn this regard, the CNSS has pledged to closely monitor and investigate all individuals involved in such fraudulent\r\nschemes and to take all necessary legal action against them.\r\nThis notification may confirm that Morocco is an attractive target for cybercriminals, considering the growing\r\ndigitization in the country.\r\nConclusion\r\nThe situation surrounding the CNSS highlights the growing cybersecurity challenges in Morocco, particularly as\r\ncybercriminals become more sophisticated in their tactics. It underscores the need for governmental and individual\r\nvigilance to protect sensitive information against cyber threats.\r\nSource: https://www.resecurity.com/blog/article/cybercriminals-attacked-national-social-security-fund-of-morocco-millions-of-digital-identitie\r\ns-at-risk-of-data-breach\r\nhttps://www.resecurity.com/blog/article/cybercriminals-attacked-national-social-security-fund-of-morocco-millions-of-digital-identities-at-risk-of-data-breach\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.resecurity.com/blog/article/cybercriminals-attacked-national-social-security-fund-of-morocco-millions-of-digital-identities-at-risk-of-data-breach"
	],
	"report_names": [
		"cybercriminals-attacked-national-social-security-fund-of-morocco-millions-of-digital-identities-at-risk-of-data-breach"
	],
	"threat_actors": [
		{
			"id": "8d1b9519-4634-40b9-94a4-96183539090c",
			"created_at": "2025-05-29T02:00:03.192356Z",
			"updated_at": "2026-04-10T02:00:03.849442Z",
			"deleted_at": null,
			"main_name": "Jabaroot",
			"aliases": [
				"Jabaroot DZ"
			],
			"source_name": "MISPGALAXY:Jabaroot",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434746,
	"ts_updated_at": 1775792016,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/abb0f2de2563ec5d3db160d96f9d992940e2826e.pdf",
		"text": "https://archive.orkl.eu/abb0f2de2563ec5d3db160d96f9d992940e2826e.txt",
		"img": "https://archive.orkl.eu/abb0f2de2563ec5d3db160d96f9d992940e2826e.jpg"
	}
}