Menu
Browse

Cyber Threat Actor: Yemen Cyber Army

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Activist
Yemen
1 incident
Profile

The Yemen Cyber Army, also known by the abbreviation YCA, is a hacker group that operates from Yemen and has been publicly identified by its own name in statements and communications with media outlets. The group first came to wider attention in May 2015 when it claimed responsibility for a cyber intrusion against the Saudi Ministry of Foreign Affairs, an act it framed as a response to Saudi military involvement in Yemen. In its own messaging the actors described the operation as a means to send a political message to the Saudi government, indicating that their primary objective at that time was to convey opposition rather than to pursue financial gain. The targeting of a foreign‑affairs ministry suggests a focus on governmental institutions, particularly those involved in diplomatic relations, and the region of interest appears to be the broader Middle East where the actors are based.

During the Saudi Ministry of Foreign Affairs incident the Yemen Cyber Army reported gaining unauthorized access to the ministry’s internal network, claiming control over more than three thousand computers and servers and access to the accounts of thousands of users. They defaced the public‑facing website with a message explaining their motives and left a visible proof of compromise that was mirrored on a zone‑h site. The actors exfiltrated a range of data that included plain‑text login credentials, usernames, phone numbers, thousands of email addresses, embassy communications, VSAT transmission samples, and telex‑style diplomatic messages. They also disclosed that they had obtained file‑folder links protected by passwords, which could be used to reach additional information. The group emphasized that they had not downloaded the entirety of the available data, citing security and privacy concerns, but they threatened to release further material over time. No specific malware families, exploit kits, or initial‑access vectors were described in the reporting, so the observable tactics are limited to network intrusion, website defacement, credential harvesting, and data exfiltration.

Attribution of the Yemen Cyber Army to any state sponsor or criminal consortium has not been established in publicly available sources; the group presents itself as a collection of Yemeni hackers acting independently. The Saudi Ministry of Foreign Affairs breach remains the most prominently documented operation associated with the alias, and it is cited as an example of how the actors combined disruptive actions such as site defacement with espionage‑style data theft to advance a political agenda. The incident highlighted security shortcomings, particularly the storage of passwords in unencrypted form on a high‑profile government system, and it demonstrated the group’s ability to obtain and threaten the release of sensitive diplomatic information. No additional campaigns or incidents are referenced in the supplied material, so the profile is confined to the confirmed facts surrounding this single, well‑publicized event.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
1 source