Cyber Incident Victim: Justice Blade
Date:
Nov 2022
Location:
Saudi Arabia
Summary
The 'Justice Blade' hacking group targeted an outsourcing IT vendor serving major enterprises and government agencies in Saudi Arabia, exfiltrating sensitive data including CRM records, personal information, email communications, contracts, and account credentials. Attackers compromised an employee account, deployed Metasploit Framework post-intrusion, defaced the corporate website, and leaked over 100,000 records tied to regional entities such as an airlines company and a central bank initiative. Stolen credentials had previously appeared on Dark Web marketplaces, amplifying supply chain risks for interconnected organizations. The group established a Telegram channel for data dissemination and displayed ideological motives by publishing government officials' photos, with no observed ransom demands. Intelligence reports suggested potential geopolitical context amid regional tensions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Justice Blade cyber incident began with initial malicious activity detected by the victim organization, Smart Link BPO Solutions, on October 30, 2022, involving the deployment of the Metasploit Framework following a network compromise. On November 2, 2022, the attack escalated with a corporate website defacement marking the start of a "hack-and-leak" operation. Threat actors exfiltrated a substantial volume of sensitive data, including CRM records, personal information, email communications, contracts, and account credentials from Smart Link, an IT outsourcing vendor serving major enterprises and government agencies in Saudi Arabia and the Gulf Cooperation Council (GCC) region. The attackers established a Telegram channel on the same day to disseminate stolen materials, which included screenshots of active RDP sessions, Office 365 communications between regional companies, and user lists exceeding 100,000 records related to FlyNas airlines and SAMACares, a Saudi Central Bank initiative. Forensic evidence suggested the compromise originated from a compromised employee account, with attackers gaining access to Active Directory and internal applications.
The breach exposed credentials previously identified on Dark Web marketplaces, raising concerns about supply chain risks due to Smart Link’s government and enterprise clientele. No ransom demands were observed, aligning with the attackers’ ideological motives evidenced by leaked photos of Saudi officials on their data leak portal. Smart Link, a business unit of Forbes-listed Al Khaleej Training and Education Group, faced operational and reputational impacts as Resecurity analysts highlighted the incident’s significance as a regional supply chain compromise. The attackers’ focus on Saudi entities and absence of financial extortion suggested geopolitical motivations, though no direct attribution to state-sponsored actors was confirmed. Detection efforts by the victim organization identified post-compromise Metasploit activity, but containment measures were not detailed in available reports. Exfiltrated data remained actively distributed through Justice Blade’s Telegram channel, amplifying risks of secondary targeting against affiliated organizations and individuals.