Cyber Incident Victim: Centre Nationale de Recherche Scientifique
Date:
Jan 2015
Location:
France
Summary
A cyberattack attributed to hacktivist Morocaan Hassan, claiming affiliation with a "Moroccan deterrent force," compromised approximately 128 CNRS subdomains and around 20 subdomains of Les Restaurants du Cœur through website defacement. The attacker replaced content with an HTML file ("Mkd") displaying Moroccan nationalist imagery, firearms, and messages advocating religious pride while denouncing terrorism and expressing opposition to perceived disrespect towards Islam. The incident formed part of broader cyber protests targeting French digital infrastructure, with the actor emphasizing Muslim identity and quoting religious texts about social justice. Both organizations suffered unauthorized content modifications across regional subdomains, though the attack appeared focused on ideological messaging rather than data theft or systemic disruption.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 28, 2015, at 14:50, a hacktivist identifying as Morocaan Hassan executed a coordinated defacement attack against 128 subdomains of the French National Center for Scientific Research (CNRS). The attacker modified *.cnrs.fr websites by uploading an HTML file named "Mkd," which served as his signature marker. The defaced pages displayed a Moroccan flag, two crossed rifles, and a logo representing his self-proclaimed "Moroccan deterrent force" group. Accompanying text stated "Je ne suis pas Charlie / Je ne suis pas terroriste / Je suis musulman et fier de l’être" (I am not Charlie / I am not a terrorist / I am Muslim and proud to be), positioning the attack within broader cyber protests targeting French digital infrastructure following the January 9 Charlie Hebdo attacks. Hassan included the message "Le croyant n’est pas celui qui mange à satiété quand son voisin a faim" (The believer is not one who eats to satiety while his neighbor goes hungry), advocating for religious solidarity while criticizing perceived French societal inequalities.
Approximately four hours later at 19:20, the same attacker expanded operations to compromise approximately twenty subdomains belonging to Les Restaurants du Cœur, a French charity organization. Affected regional branches included Dijon, Amiens, Pau, Limoges, and the Maison de Coluche locations in departments 74 and 16, among others. The defacements replicated identical visual elements and messaging from the CNRS intrusions, confirming a consistent modus operandi targeting high-visibility French institutions. Technical analysis indicated the attacks exclusively modified website content through unauthorized file uploads without evidence of data exfiltration or persistent system compromise. Both organizations faced temporary disruption to their web presence, though operational impacts beyond public-facing page alterations remained unconfirmed in available reporting. The incidents exemplified hacktivist exploitation of vulnerable subdomain management systems to propagate ideological messages during periods of heightened social tension.