Cyber Threat Actor: MoRo
| Actor Type | Location | Known Incidents |
Criminal
|
Morocco
|
1 incident |
|---|
Profile
MoRo is a threatactor known by the alias MoRo and has been publicly linked to Morocco, with no evidence indicating a connection to the Moroccan government. The group’s activities have focused on the education sector in the United States, specifically targeting Florida school districts, and have also included attempts to infiltrate government election systems. Their stated objectives have included the theft of student Social Security numbers for identity theft, which represents a financially motivated goal, and the pursuit of access to other sensitive government systems, including state voting platforms, indicating an interest in gaining footholds within governmental infrastructure.
In terms of tactics, MoRo has employed phishing emails containing malicious image attachments that, when clicked, deploy malware designed to disable system logging mechanisms, thereby obscuring their activities. After gaining initial access, the actors conducted prolonged reconnaissance, mapping network defenses over several months before attempting to exfiltrate data or manipulate systems. They have also used website defacement, posting images resembling ISIS fighters on compromised district sites, as a means of bragging about their intrusions. No specific malware family has been named in the reporting, but the described functionality centers on log suppression and persistence within compromised environments.
Attribution to MoRo comes from the cybersecurity firm United Data Technologies, which identified the group as Morocco‑based and explicitly stated there is no indication of state sponsorship or ties to a criminal consortium. The most notable publicly reported operation involved a coordinated campaign in late 2016 against multiple Florida school districts, including Miami‑Dade County Public Schools, where the actors sought Social Security numbers and attempted to access voting systems hosted by Diebold platforms; although they did not succeed in exfiltrating data or breaching election infrastructure, the incident highlighted the group’s use of email‑based malware delivery, log‑disabling techniques, and website defacement as part of their operational pattern. This campaign remains the primary example of MoRo’s activity in open sources.
