Amidst Rising Cyber Threats, Saudi Organizations Need Leap-Ahead CTI
Saudi Arabia and other Gulf Cooperative Council (GCC) states are increasingly being targeted by cybercriminals and nation-state actors, according to recent vendor research.
A Dark Reading report on this study said the “region is likely a favored target because it’s a hub for commerce and trade, full of rich economies; and because of regional nations’ stance on certain geopolitical issues.”
According to the report, which analyzed Middle East cyberattack trends over the 18 months prior to October 2024, regional DDoS attacks have surged by 70% year over year. Threat actors that have staged DDoS attack campaigns in Saudi Arabia and the broader GCC region are generally assessed to be hacktivists targeting organizations there in the furtherance of broader geopolitical, social, or religious causes. Notably, DDoS attacks also surpassed ransomware as the top regional cyber threat in the EU last year, according to the European Union Agency for Cybersecurity.
Geopolitical conflicts that are fueling malicious cyber activity in Saudi Arabia and the broader region include the rapidly intensifying conflict between Israel and Iran and the plodding war between Russia and Ukraine. In this backdrop, according to the vendor’s research, Saudi Arabia was the second-most referenced Middle Eastern country by threat actors on the Dark Web, accounting for 26% of such listings.
Many of these listings were DDoS promotions targeting various Saudi public and private-sector entities. Meanwhile, the United Arab Emirates (UAE) led the entire region in terms of Dark Web solicitations, accounting for 40% of all Middle East-focused listings and messaging, according to the report. In the broader GCC and UAE regions, “stolen data and illicit access accounted for the topic of more than half (54%) of the posts, with the vast majority of users selling or buying access,” according to Dark Reading’s coverage of the report. These listings typically encompassed the following five sectors: trade, services, manufacturing, IT, and government agencies.
The report also found that 12% of the listings “included a call to action for hacktivism or evidence of a successful hacktivist attack,” according to Dark Reading. Roughly 9% of hacktivist posts also advertised free credentials for use in attacks. Notably, “access giveaways represent a new trend for the region that first appeared in H2 2023,” said the report. Furthermore, 70% of these access giveaways contained credentials for government agency employees, according to the report.
Regarding attacks from advanced persistent threat (APT) actors, Saudi Arabia has been in the crosshairs of at least 14 such groups, including Solar Spider, a China-nexus adversary that targeted Saudi financial services firms with JSOutProx malware. Regionally, the five sectors most targeted by APTs were government agencies, manufacturing, telecom, the military-industrial complex, and energy, according to another vendor research report that covered Middle East cyberattacks from 2022 to 2023.
The methods used by these APTs for gaining initial access varied, with 69% using phishing emails, 31% exploiting vulnerabilities in public-facing applications, and 19% deploying malware on targets’ websites, according to the report. At the same time, IBM’s 2024 “Cost of a Data Breach Report” found that the average cost of a successful intrusion in the Middle East, a regional cluster limited by the vendor to cover only Saudi Arabia and the United Arab Emirates, had increased to $8.75 million, up roughly $700,000 from 2023.
This figure places the Middle East as the second-most expensive region for data breaches in the world, trailing only the U.S., according to the IBM report. Despite preexisting attack trends, ParanoidLab assesses that the proliferation of the infostealer economy will have the most significant impact on cybercriminal and APT targeting activities in Saudi Arabia this year.
At the time of this writing, ParanoidLab has acquired nearly 21 million compromised credential records encompassing Saudi-domain specific VPN, RDP, Citrix, and PHP access terminals. The following report will document findings from recent Dark Web intelligence collected by ParanoidLab analysts and discuss how rapidly evolving geopolitical conditions may impact the cyber-threat outlook in Saudi Arabia in 2025.
Recent Dark Web Listings Targeting Saudi Arabia
ParanoidLab’s cyber-threat intelligence (CTI) reporting will document Dark Web listings that surfaced in Q2 2024 and onward. During this research period, ParanoidLab began to notice an uptick in Dark Web data leaks targeting significant Saudi Arabian entities. Some of these targets include the Saudi Ministry of Health, the Alrajhi Bank of Saudi Arabia, the Saudi Arabian military, the Saudi Ministry of Justice, Gulf Warranties for Insurance Services (GWIS), Saudi British Bank (SAB), Bevatel, the Official Saudi Journalists Association, and the Ministry of Human Resources and Social Development of Saudi Arabia (HRSD).
Unique trends that emerge from these recent data leaks are distinct targeting of Saudi financial services firms and government entities. The leak of Saudi British Bank data is particularly exhaustive.
Alpha_ransom2 leaks SAB customer and employee data, source: Breach Forums
On September 4, 2024, threat actor ‘Alpha-ransom2’ leaked 819 GB of data belonging to SAB customers and employees on Breach Forums. The threat actor appears to be financially motivated, as they listed this data for sale for $9,000. The data alleged by the threat actor to be included in this leak is exhaustive, spanning customer identity and income data, highly specific account data, detailed transaction data, loan data, credit card information, branch data, and employee information. It follows that customers exposed to this leak are now at heightened risk for identity theft and financial fraud.
Alpha_ransom2 prices SAB customer and transaction data at $9,000 : Breach Forums
The targeting of Saudi financial services is also manifest in data leaks pertaining to Alrajhi Bank and GWIS. In the first case, a threat actor using the handle ‘gettexik’ posted username and password combos (logs) for 17.3 thousand customers of the Alrajhi Bank on Breach Forums on November 5, 2024.
Gettexik posts logs for 17.3 thousand customers of Alrajhi Bank: Breach Forums
Notably, gettexik posted this data for free, echoing the access giveaway trend highlighted by the vendor research we discussed in the introduction. Indeed, this threat actor’s motivations for leaking the data appear to conform to hacktivism, as the text accompanying the data leak states, “FEEL OUR ATTACK INDOHAXSEC, THIS IS RESPONSE FOR THE WAHABI STATE THAT DAMAGES THE SELF-PRIDE AND RULES OF ISLAM!”
Furthermore, gettexik appears to be claiming some affiliation with the INDOHAXSEC hacktivist collective, which purports to be an Indonesian threat group, and which has historically targeted organizations and websites in Saudi Arabia, India, and the U.S. On November 6, this collective announced an alliance with the NoName057(16) hacktivist group. NoName057(16) has previously targeted organizations in the UK, Ukraine, South Korea, the Czech Republic, and Japan. Based on NoName057(16) ’s logo, namely the Russian flag prominently displayed on the hacker bear’s laptop, the group appears to be pro-Russian.
INDOHAXSEC and NoName057(16) announce an alliance, source: X
While it is possible that gettexik is a member of the INDOHAXSEC collective and that both entities have sincere hacktivist-inspired motivations for targeting Saudi organizations and other subjects, analysts must also factor in the possibility of nation-state actors using hacktivism as a cover for ulterior objectives.
Nevertheless, it is noteworthy that a hacktivist group that purports to be rooted in Indonesia, the largest Muslim nation in the world, is targeting Saudi Arabian organizations. On the surface, Saudi Arabia’s relations with Israel in the wake of the war in Gaza would appear to be the most likely point of contention for hacktivists based out of Indonesia, which also counts a significant hardline Islamist demographic within its large population.
Also notable is that gettexik claimed to have leaked 2.7 thousand user logs for the Tax and Customs Authority of Saudi Arabia (ZATCA) on Breach Forums on November 5, 2024 (the same day as Alrajhi Bank). Again, they demonstrated hacktivist motivations for leaking this data, writing the following text to accompany the sample ZATCA data:
“WE, THE INDOHAXSEC TEAM, STRONGLY REJECT THE WAHABI GOVERNMENT IN SAUDI ARABIA, BECAUSE THEY HAVE ELIMINATED MOST OF THE ISLAMIC RULES, EVEN EVERYTHING THAT IS FORBIDDEN BY ISLAM IS NOW LEGALIZED, YOU ARE EMBARRASSING THE PRIDE OF ISLAM!”
Gettexik claims to leaks 2.7 thousand logs for ZATCA, source Breach Forums
Another Saudi financial services firm recently targeted by threat actors is the insurance provider GWIS. On August 21, 2024, threat actor ‘zelda’ leaked 20.9 MB of GWIS data on Breach Forums. The threat actor said the data leak contained: “Employee information – Security system pin codes – digital fingerprint, usernames and passwords (hashed) sha256 and other details.” The threat actor also threatened to leak more Saudi databases “in the near future.”
Zelda leaks 20.91 MB of GWIS data, source: Breach Forums
Regarding government targets, a rising Com-nexus threat actor who uses the handle ‘pryx’ leaked 55 GB of “sensitive documents” belonging to the HRSD on the XSS forum on August 26, 2024. Pryx priced the stolen HRSD data at $2,000, indicating that they are a financially motivated threat actor. The “compromised data includes private CVs, personal information, contracts, and various other sensitive materials. Additionally, it contains images and attachments submitted by citizens, along with future plans for buildings, ID cards, graduation certificates, and other documents,” according to pryx’s posting.
Pryx leaks 55 GB of HRSD data, source: XSS
In the Western cybercriminal youth culture known as the Com, pryx’s hacking skills are a subject of debate. In private discussions with other relatively prominent Com-nexus threat actors, ParanoidLab analysts have seen pryx referred to as a “retard” who “can’t hack shit.” Instead, pryx is reputed to have just purchased access credentials and leaked data. However, other threat actors have noted that pryx’s knowledge of network vulnerabilities is stronger than the vast majority of wannabees that lurk in cybercriminal communities like Breach Forums.
Nevertheless, the suggestion that pryx is just buying access again highlights how the multi-billion-dollar infostealer economy has drastically lowered the barriers for entry for less skilled cyber criminals. Regardless, the impact of these data leaks remains just as damaging as it would have been had this sensitive information been compromised by a more sophisticated attack that targeted an obscure vulnerability. For example, the XSS post below shows threat actor ‘SGL’ selling Citrix credentials to a Saudi organization that generates $150 million in annual revenue for $1,200. These credentials were more than likely siphoned via an infostealer infection chain.
SGL sells access to a $150 million revenue organization in Saudi Arabia, source: XSS
Other high-profile leaks of Saudi government data include the Saudi Ministry of Health (MoH), the Saudi Ministry of Justice (MOJ), and the Saudi military. On October 3, 2024, threat actor ‘Sandokan3000’ leaked an SQL database containing thousands of personally identifying information (PII) records from the Saudi MoH. Notably, the threat actor leaked this data for free, again highlighting apparent hacktivist motivations.
Sandokan3000 leaks thousands of MoH PII, source: XSS
On September 17, 2024, threat actor ‘mrxzyx1’ also leaked data belonging to the Saudi MoJ on Breach Forums, including: “Lawyers’ Statements Information on Chief Justice Sensitive files from the Ministry.”
mrxzyx1 leaks sensitive Saudi MoJ data, source: XSS
Notably, mrxzyx1 claimed to be affiliated with a financially motivated cybercrime team that calls itself ‘CYBERS102.’ The threat group’s Telegram channel was created on June 26, 2024. Posts in the channel indicate a preference for targeting organizations in the Middle East, including the Erth Hotel in Abu Dhabi. The group announced on Telegram that it was going on a hiatus on October 31, 2024.
CYBERS102 logo, source: Telegram
Lastly, on September 6, 2024, threat actor ‘wawenoel’ announced a significant “internal documents leak” of defense and government data belonging to the Saudi Arabia military on Breach Forums. The threat actor claimed the documents were obtained from the “email accounts of several military officials.” The actor also indicated hacktivist motivations, writing, “This leak of confidential data is to shed light on the activities of the oppressive regime of Saudi Arabia” in the text accompanying their Breach Forums posting.
wawenoel announces Saudi Arabian military document leaks, source: Breach Forums
Rising Regional Tensions Compels Saudi Organizations to Invest in CTI
The recent CTI data scraped by ParanoidLab reveals a growing trend of threat actors targeting prominent Saudi financial services firms and a continuation of previously identified patterns, including hacktivism and the targeting of Saudi government and military entities. Hacktivist collectives recently observed targeting Saudi Arabian organizations via data leaks include INDOHAXSEC and CYBERS102. A number of external geoeconomic and geopolitical factors are undoubtedly impacting the Saudi cyber-threat landscape today.
These background variables include Saudia Arabia’s Vision 2030 plan, an ambitious initiative to transform and modernize the nation’s economy and society, with an aim to elevate the nation as the regional hegemon in the Middle East. Other background factors attracting malicious cyber activity include the country’s vast oil wealth, which anchors the country’s robust capital base and relatively high standard of living, and the rapidly escalating conflict between Israel and Iran.
In this backdrop, the November 10, 2024, Kill Security ransomware announcement publicizing the attack on OxyHealth, a healthcare company, inspired related promotional activity by anti-Israel hacktivist groups like Anonymous Palestine. This hacktivist cell retweeted the OxyHealth victim-shaming announcement on X on the same day Kill Security published their ransom threat on their TOR data-leak site (DLS).
Anonymous Palestine celebrates the OxyHealth ransomware announcement on X, source: X
Focusing on the bigger geopolitical puzzle, it would seem that Iran is the nation-state actor most invested in subverting Saudi Arabia’s regional aspirations in the Middle East. However, the countries’ joint attendance at Russia’s latest BRICS summit in October 2024, and a general warming of relations between the two thanks to Chinese-brokered rapprochement discussions last year, may have altered that calculus some and defused their preexisting cyber-warfare agendas.
Regardless, ParanoidLab data shows that Saudi Arabia remains a favored attack jurisdiction for threat actors. In this threat landscape, ParanoidLab has acquired nearly 21 million compromised credential records encompassing Saudi-domain specific VPN, RDP, Citrix, and PHP web services. Below are the top 20 most-targeted ‘.sa’ domains across all web services, as cataloged by ParanoidLab’s Dark Web CTI.
Notably, the eight most-targeted Saudi domains have at least 100 compromised user credentials across all remote web services. Additionally, the chart below displays the most compromised remote web services by threat actors targeting Saudi Arabia. As the reader can see, Citrix and Juniper credentials are the most compromised web service gateways for .sa domains by a significant margin.
Despite the recent disruption of the Redline and META infostealer malware-as- a-service (MaaS) operations by global law enforcement, the threat persists, as adversaries will likely use MaaS families like Vidar and Lumma more aggressively. As threat actors of various motivations escalate their attacks on Saudi Arabian organizations, local stakeholders need to be vigilant about protecting their digital remote access services from identity compromise.
ParanoidLab has unique and transgenerational expertise navigating Dark Web ecosystems. Differentiated by its elite connectivity in cybercriminal subcultures, ParanoidLab has full-spectrum visibility into the most valuable infostealer log markets and other vetted hubs for the most elite RaaS, cybercriminal, and hacktivist operators.
ParanoidLab’s database contains over 39 million Single-Sign-On (SSO) records, over 100,000 Cisco VPN records, and more than 200,000 Citrix records. Additionally, we process over 50 million new records daily to keep you one step ahead of adversaries. Armed with access to ParanoidLab’s leap-ahead CTI, Saudi organizations can monitor their Dark Web exposure more efficiently and respond to emerging threat signals with unparalleled agility.
