The Yemen Cyber Army: Profile and Analysis
On May 2015, actors claiming affiliation with the Yemen Cyber Army compromised the Government of Saudi Arabia’s Ministry of Foreign Affairs (MFA) website, posting sensitive government data on multiple file-sharing websites. Reporting indicates that the data included Saudi travel visas, personally identifiable information (PII) for Saudi citizens, email messages belonging to Saudi embassies, and classified government documents. The actors indicated that it had compromised other Ministries within the government, and that it would leak additional data in the near future. The group also made the disconcerting claim that it would leverage destructive cyber capabilities against MFA networks with the included phrase “We Are Cutting Sword of Justice.” This statement may bear significance as it was posted previously to announce an August 2012 cyber operation by hacktivists who claimed responsibility for a destructive cyber attack on the Saudi Aramco Oil Company, which many analysts believe was sponsored and/or supported by Tehran. However, it is unclear whether the group has these capabilities.
Along with each of these leaks, the group attached a message warning that if the Saudi-backed coalition forces did not withdraw from Yemen, the one million sensitive records would be leaked every week. Additionally, the group indicated that it sent 400,000 records to wikileaks.org for “backup.” On June 23, a new set of over 500,000 government documents dubbed The Saudi Cables began to surface on WikiLeaks, likely derived from the aforementioned compromise and data extraction from Saudi government networks.
The current geo-political climate adds interesting context to this activity. For the last four years, Yemen has been in a state of quasi-civil war. The most direct origins of this conflict can be traced to 2004, when Ansar Allah, best known as the Houthis, started a fledging insurgency against the Yemeni government. The Houthis have resided in the region for centuries, representing the remnants of the oldest branch of the followers of Shi’a Islam, known as the Zaidi, emerging in the late 8th century. Today, followers of Zaidiyya Shi’a comprise roughly 40 percent of all Muslims in Yemen, while the majority (including the official ruling government) is Sunni. In the cases of Saudi Arabia and Iran, this inter-religious delineation has been the source of centuries of varying classes of enmity and conflict.
Throughout the early 2000’s a flurry of activity alternating between violent flare ups, peace agreements, and ceasefires persisted. In 2009, Riyadh was drawn into the conflict in an effort to maintain the stability of the Sunni/Saudi-friendly Ali Abdullah Saleh governance when the insurgent activity reached threatening levels. They withdrew the following year, however, when movement quieted down.
During the Yemeni Revolution in 2011, which coincided with Egyptian and Tunisian iterations of the Arab Spring, Houthi-appointed representative Abdul-Malik al-Houthi called for the resignation of President Saleh, along with the reconstruction of the Yemeni constitution. Later that year, as Saleh was preparing to leave office, the Houthis began to claim portions of the Sa’dah Governate in the northwestern portion of the country. Conflicts between Sunni and Houthi fighters continued for the next three years in western Yemen. In 2014, the Houthis, operating in self-declared autonomy under the Revolutionary Committee, took control of Sana’a, causing President Hadi’s capitulation and concession of unprecedented Houthi levels of influence in political and state affairs. In January, when Houthi fighters took over the presidential compound in protest of a plan to split the nation into six distinct federal regions, President Hadi and his administration resigned, allowing the Houthi to dissolve the Yemeni parliament and institute the governance of the Revolutionary Committee. Towards the end of February, President Hadi fled from captivity to the old Yemeni capital of Aden and declared his status as the constitutional leader of Yemen and the illegitimacy of the Revolutionary Committee.
Since then, violence has escalated between Sunni Muslims loyal to the official government and the Houthi fighters, whom many claim are backed by Shi’a Iran and Hezbollah. Over the past several months, the Saudi Arabian government, supported by a multi-nation coalition, has been engaged in offensive military operations against Iran-backed Houthi militants. Washington, along with a number of other governments, has backed Saudi Arabian efforts to stabilize Yemen and re-install the internationally recognized government under President Abd Rabbuh Mansur Hadi. To make the situation even more complex, Al Qaida in the Arabian Peninsula has seized the opportunity to gain control of over one fifth of the country’s total area.
The outcome of this conflict has significant strategic and existential implications for a number of nations and organizations. The United States and much of the West has a vested interest in curbing Tehran’s influence in the region and maintaining alliances with oil and resource-rich Saudi Arabia. Meanwhile, inter-religious conflicts between Shi’a, traditional Sunni, and Jihadist ideologies within Yemen is making dialogue between groups difficult.
Yemen Cyber Army: Threat Actor Profile
The Yemen Cyber Army is a hacktivist group that was first observed conducting malicious computer network operations in February 2012 when it claimed responsibility for a low-level website defacement against plusgrafic.com/py. In mid-April 2015, actors operating under the Yemen Cyber Army handle claimed responsibility for another website defacement against the British pan-Arab daily newspaper al-Hayat, which was taken offline for nearly 24 hours.
The group’s motivations appear heavily pro-Iranian, and targeting includes entities that present a perceived physical or existential threat to Tehran. While the group has previously used imagery, language, and hashtags typically associated with the Anonymous hacktivist collective, it is probable that this imagery was used to obfuscate the true motivations of the group, or adopt more easily recognizable rhetoric and symbolism to garner more widespread support. This group has no known significant connections to other threat groups or personas, and no discernable social media presence.
Considering the size of and amount of detail within the leak, this likely represents a genuine compromise of mofa[.]gov.sa. The sensitivity of the released information is still under analysis by trusted third party vendors. The full extent of the compromise or whether the actors are still present on the Saudi government IT infrastructure is still unknown.
The successful computer network compromise of a government-level diplomatic ministry by a pro-Iranian actor previously demonstrating only low operational sophistication is noteworthy. Before this operation, the Yemen Cyber Army was only observed conducting website defacements. If the group is responsible for this activity, it is doubtful that its actors would be able to successfully execute an operation of this nature without external support.
While there are no formal links between the Iranian government and actors associated with the Yemen Cyber Army, there are several historical examples of seemingly independent hacking groups that have been supported by Iranian government entities, specifically the Iranian Revolutionary Guard Corps (IRGC). Hacktivists with suspected support of Tehran have previously targeted the U.S. financial sector; the Qassam Cyber Fighter’s conducted distributed denial of service (DDoS) operations against U.S. financial institutions in 2012 and 2013. Given the nature of the Yemen Cyber Army’s targeting and other operational elements, the prospect that this was a Tehran-sponsored operation seems, at the very least, possible.
Risks to the U.S. private sector
There appear to be no direct threat to U.S. private sector computer networks or information as a result of this activity. The Saudi leak could be exploited, however, by malicious actors seeking to compromise Saudi government systems or to conduct financially motivated activity against the individuals whose information was released. It is unclear how much information the actors have in their possession, and how much they intend to continue leaking.
Given the continued U.S. support of Saudi Arabian military operations in Yemen, it is possible that actors associated with the Yemen Cyber Army may attempt to target U.S. based government and private sector targets. Cyber actors supporting Tehran have previously targeted U.S. private-sector entities during periods of increased strain on the relations between the two countries. It is possible that Iranian actors may target U.S-based entities in the near future.
In late May, an Iranian national law enforcement entity announced that it stopped offensive computer network operations against its Oil Ministry by U.S.-backed actors. Currently, there is limited information on this incident, but considering this accusation in the context of considerable tension between the Iranian and U.S. governments, it is possible that Iranian advanced persistent threat groups and hacktivists may conduct retaliatory attacks against U.S. government and private sector targets.