Cyber Incident Victim: Kaspersky Lab

On July 25, 2015, a hacker group identifying as The Exploit3rs compromised multiple high-profile websites associated with Morocco’s country-code top-level domain (.ma). The attackers breached the domain registry infrastructure for Morocco’s ccTLD, enabling unauthorized access to google.co.ma, google.ma, microsoft.ma, and kaspersky.ma. While google.ma and microsoft.ma were parked domains, google.co.ma and kaspersky.ma served as official company domains for Google and Kaspersky Labs in Morocco. The hackers replaced the legitimate content of these sites with a defacement page displaying the message: "HEY! Today ccTLD MOROCCO 0WN3D!! You think that you control the domains, but you don’t! Everybody knows wrong. We control the domains including NIC morocco! We Want To Inform You That We Can OwnAny .Ma Website Now." This action demonstrated control over Morocco’s domain registration system, mirroring DNS hijacking incidents like one targeting Google Vietnam earlier that year.

The attack disrupted access to the affected domains until restoration occurred prior to the publication of the reporting article. The Exploit3rs claimed broader capabilities to compromise any .ma website, leveraging their access to Morocco’s Network Information Center (NIC). The group had previously targeted financial and technology entities including Yahoo, HSBC, Norton, Twitter, Vodafone, and Dell. No data theft or malware deployment was reported in this incident, with the impact limited to temporary defacement and service interruption. All compromised domains were operational again by the time the article documenting the breach was released. The incident highlighted vulnerabilities in ccTLD management infrastructure despite the involvement of cybersecurity firms like Kaspersky among the targets.