Cyber Incident Victim: NANS
Date:
Apr 2016
Location:
Syria
Summary
A hacktivist group known as Cyber Justice Team compromised multiple Syrian government and private websites, exfiltrating and publicly releasing 43GB of data containing sensitive server credentials, administrative passwords, and MySQL permissions. The attackers exploited known vulnerabilities in outdated Joomla content management systems used by the targeted entity, leveraging historical weaknesses in the platform. The leaked data included both newly breached information and remnants from prior intrusions, evidenced by older shell files and database entries. While the group claimed political motives against the Syrian government and ISIS, they selectively withheld files related to civilian education and healthcare systems. Security analysts highlighted systemic negligence in maintaining secure web portals, emphasizing how such outdated infrastructure enables relatively simple compromises of government assets.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On April 6, 2016, the hacktivist group Cyber Justice Team breached multiple Syrian government and private sector networks, resulting in a 43GB data leak after decompression of initially compressed files. The compromised data consisted of 274,000 files from 55 Syrian website domains, with approximately half belonging to government entities under the .gov.sy domain. The attackers publicly posted the data on Pastebin, exposing sensitive information including server passwords, MySQL host permissions, and administrative credentials. Analysis by Risk Based Security revealed the leak contained both newly exfiltrated data and historical breach materials, including older shell files and database entries demonstrating prior injection attempts. The Cyber Justice Team claimed responsibility, stating their opposition to both the Assad regime and ISIS for suppressing the Syrian revolution. Notably, the group selectively removed files related to government-run education systems and a children's hospital to avoid endangering civilian information.
The attackers exploited known vulnerabilities in Joomla content management systems used by the Syrian National Agency for Network Services (NANS). Historical vulnerability data indicated Joomla had 127 documented security flaws at the time, with 20 disclosed in 2015 alone, averaging one new vulnerability every 60 days. While no 2016 vulnerabilities were publicly discussed when the breach occurred, third-party Joomla modules remained potential attack vectors. The compromised data revealed multiple prior intrusion attempts on the same systems, suggesting persistent security weaknesses. Researchers observed that despite containing numerous non-sensitive files, the breach demonstrated significant security deficiencies in government web portals, which frequently become low-risk targets for hackers due to outdated software and unpatched vulnerabilities. The incident highlighted operational security failures within Syrian government IT infrastructure without yielding evidence of immediate containment measures or detection processes.