‘Justice Blade’ Hackers are Targeting Saudi Arabia

Threats actors calling themselves “Justice Blade” published leaked data from an outsourcing IT vendor.

The group of threat actors calling themselves ‘Justice Blade’ published leaked data from Smart Link BPO Solutions, an outsourcing IT vendor working with major enterprises and government agencies in the Kingdom of Saudi Arabia and other countries in the GCC. 

The bad actors claim to have stolen a significant volume of data, including CRM records, personal information, email communications, contracts, and account credentials. 

The same day, Justice Blade also set up a Telegram account with a private communications channel. On the screenshots and video leaked by the attackers – the incident could have happened as a result of targeted network intrusion affecting Active Directory and internal applications and services. 

The bad actors also released screenshots of active RDP sessions and Office 365 communications between various companies from within the region, and several lists of users presumably related to FlyNas (airlines company) and SAMACares (initiative managed by Saudi Arabia Central Bank) containing over 100,000 records.  

According to Resecurity, Inc. (USA), protecting major Fortune 500 companies, the data breach may become one of the first meaningful supply chain cybersecurity incidents in the region due to an overlap between an enterprise and the government sector. Threat actors may use the stolen data to target other companies and individuals of interest.

Resecurity experts mentioned that multiple leaked credentials belonging to Smart Link BPO Solutions have been previously identified in the Dark Web and various underground marketplaces in the TOR network, which could be leveraged by the “Justice Blade” to conduct successful cyberattacks. Based on the currently available data, the announcement of the attack has been initiated with the defacement of a corporate website around November 2nd and progressed as a “hack-and-leak” operation. Prior to that, on the 30th of October, the activity of Metasploit Framework was presumably detected by the victim company, which was deployed by the bad actors post-compromise.

According to leaked communications between company staff, the compromised account belonging to an employee was likely used to conduct the attack.

Notably, there is no evidence the attack could be financially-motivated, as no ransom demands have been registered as of yet. “Justice Blade” seems to be an ideologically motivated group targeting Saudi Arabia – with published photos of government officials on their website for data leak publication.  

Smart Link BPO Solutions is a business unit of Al Khaleej Training and Education Group. In 2012 AL Khaleej group was Listed in Forbes Middle East 2012 as one of the top most powerful 100 companies in the GCC region. 

It is not yet clear if the incident may be related to the growing tensions between Iran and Saudi Arabia. As reported by the Associated Press (AP), just recently Saudi Arabia shared intelligence with US officials that suggests Iran could be preparing for an imminent attack on the Kingdom. 

According to multiple sources, law enforcement and federal regulators are investigating the incident to determine the full scope of compromise and the end impact endured. 

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Justice Blade)

[adrotate banner=”5″]

[adrotate banner=”13″]