Cyber Incident Victim: Google

On July 25, 2015, a hacker group identifying as The Exploit3rs compromised multiple high-profile domains associated with Morocco’s country code top-level domain (ccTLD), including those of Google, Microsoft, Kaspersky Labs, and the Moroccan National Internet Center (NIC). The attackers defaced google.co.ma, google.ma, microsoft.ma, kaspersky.ma, and NIC Morocco’s infrastructure, replacing legitimate content with a message claiming control over all .ma websites. The defacement page declared, “HEY! Today ccTLD MOROCCO 0WN3D!! You think that you control the domains, but you don’t! Everybody knows wrong. We control the domains including NIC morocco! We Want To Inform You That We Can OwnAny .Ma Website Now.” Google.ma and Microsoft.ma were identified as parked domains at the time of the attack, while Google.co.ma and Kaspersky.ma served as official company domains for Morocco. The incident mirrored a February 2015 DNS hijacking event that disrupted Google’s Vietnam homepage, suggesting a pattern of targeting regional domain infrastructure.

The breach demonstrated direct control over Morocco’s ccTLD registry, enabling attackers to manipulate any .ma domain. The Exploit3rs, known for prior compromises of Yahoo, HSBC, Twitter, Vodafone, and other multinational corporations, leveraged this access to assert technical dominance rather than extract data or deploy malware. No data theft or secondary attacks were reported. The defacements temporarily disrupted access to the affected domains but caused no prolonged service outages. By the time reports circulated, all targeted websites had been restored to normal operation. The incident highlighted vulnerabilities in country-specific domain management systems, particularly the risks posed by centralized registry access. Historical context indicated The Exploit3rs’ preference for high-visibility targets across finance, technology, and consumer sectors, though their motives for this attack remained unstated beyond showcasing technical capability.