Cyber Threat Actor: Moroccan Islamic Union-Mail

The threat actor known as MIUM operates under several aliases including Moroccan Islamic Union‑Mail, Moroccan Islamic Union‑Mail (MIUM) and Moroccan Islamic Union‑mail. Open‑source reporting indicates the group is based in Morocco. The actor has been referenced in multiple defacement incidents between 2014 and 2015. Its public communications often include a signature that reads “Moroccan Islamic Union‑Mail”.

MIUM has focused on defacing websites of diplomatic missions, educational institutions and organizations perceived to be linked to military or governmental entities. Targets have included the Embassy of Nepal in Washington, the Embassy of Angola in Abu Dhabi, the University of Washington and the Massachusetts Maritime Academy. The group also claims a history of targeting Jewish websites in the United States. The messages left on compromised sites typically contain anti‑American rhetoric, references to the Iraq War and extremist statements attributed to Mujahideen fighters. After each incident, the actor has posted claims of responsibility on platforms such as Facebook, often accompanied by links to mirror sites.

The primary technique observed is website defacement, where the attacker replaces the original homepage with a custom page containing political or religious text and imagery. Defacement pages have featured pictures such as a cross and an American flag, an image of a soldier’s grave and Arabic script. Proof of the compromises is often posted on mirror sites like Zone‑H, with links provided in the actor’s communications. After an intrusion, the actor has used social media platforms, notably Facebook, to claim responsibility and share details of the operation. No malware families, exploit kits or specific tooling have been described in the available reporting.

One of the earliest documented actions was the October 2014 defacement of the Massachusetts Maritime Academy’s website, which displayed an Arabic message and a soldier’s grave picture. In January 2015, MIUM compromised a University of Washington server, defacing sites such as enrollment.washington.edu and personnel pages with a threat‑laden image and text. The May 2015 defacement of the Nepali Embassy in Washington replaced visa information with an anti‑American statement referencing Iraq as the “Cemetery of American” and a warning about Mujahideen in Iraq. Around the same time, the group claimed responsibility for hacking the Embassy of Angola in Abu Dhabi under the operation name OpAngola, again posting a defacement page and a Zone‑H mirror link. Collectively, these incidents illustrate a pattern of using web‑site defacement to disseminate extremist political messages across multiple sectors and geographic locations.