Yemen Cyber Army data dump contains wealth of personal and government information

Lee Johnstone of cyberwarnews.info (@Cyber_War_News) has analyzed some of the massive amount of Saudi government data dumped by the Yemen Cyber Army and has kindly shared his findings with DataBreaches.net.

In their statement, the Yemen Cyber Army (YCA) wrote:

We have gained access to the Saudi Ministry of Foreign Affairs (MOFA) network and have full control over more than 3000 computers and servers, and thousands of users. We also have access to the emails, personal and secret information of hundreds of thousands of their diplomats in different missions around the world.

The hackers did dump a lot of data on paste sites, including email addresses and passwords, but what’s in the linked dumps is of special note.

According to Lee, the data dumped includes documents, emails, presentations, images, and spreadsheets, approximately 95% of which are in Arabic. When uncompressed, the 892 mb archive contains 1,835 files in 93 folders:

The e-mail documents are Outlook files, sorted by the inbox status. Emails account for 1,622 files, 38 Folders, and 647 mb of the data. Lee also found what he described as “tons of internal network information including root certificates.”

One file of note includes a spreadsheet with 19,577 records with the following fields of citizen information:

CitizenID, IdentificationNo, FullNameAsInID, FirstNameAsInID, FatherNameAsInID, GrandFatherNameAsInID, FamilyNameAsInID, FirstNameAsInPassport, FatherNameAsInPassport, GrandFatherNameAsInPassport, FamilyNameAsInPassport, Gender, PassportNo, PassportIssueDate, FileID, PassportIssueOriginID, MotherFullName_AR, MotherFullName_EN, SysSocialStatusID, Email, DateOfBirth, BirthPlace, Occupation, ParentCitizenID, KindshipRealtionID, Height, HairColor, SkinTone, EyeColor, FullNameAsInID_En, FirstNameAsInID_En, FatherNameAsInID_En, GrandFatherNameAsInID_En, FamilyNameAsInID_En, BirthCertNumber, BirthCertIssuePlace, IDNOIssueDate, IdentificationNoRecord, SpecialMark, MotherIDNO, MotherNationalityID, BirthPlaceCountryStateID, IsCitizenMarksOnPhoto, PassportExpirationDate, PassportScanFileType

Another spreadsheet contained 3,024 computer DNS, GUID, and Operating systems details that are all related to mofa.gov.sa.

Lee noted that there were a “heap of systems” still running Windows XP, but most systems were running Windows 7.

Another file, labelled “DiwanPassports-Requests-37K.txt” contained 36,674 rows with the following fields: NationalId, Title, Name, BirthDate, BirthPlace, JobTitle, PassportNumber, PassportType, VisaNumber, VisaMonths, TripsNumber, RequestType, HasVisaWithPassport, IssuingDate, Order_OrderID

Yet another file, “Sponsor-DB.txt” reportedly contained 10,001 rows with fields:
Id, CardId, FirstName, SecondName, ThirdName, LastName, StartDate, EndDate, ResidentStatusId, SponsorID, SponsorName, NationalityId, BirthPlaceId, BirthDate, GenderId, MaritalStatusId, OccupationId, CardTypeId, ReligionId, VisaTypeId, JobOnCard, EscortInPassport, Notes, ImageName, CreatedBy, CreationDate, ModifiedBy, ModificationDate

There was also a file, “Users-Email-Mobile.xls,” with 11,870 names, email addresses, and phone numbers.

So it looks like the Yemen Cyber Army wasn’t kidding at all about how extensively they rooted Saudi Arabia’s Ministry of Foreign Affairs. And this is just the beginning of dumping the data they acquired. They say they will be releasing more information gradually, and

We have the same access to the Interior Ministry (MOI) and Defense Ministry (MOD) of which the details will be published in near future. Wish such shocking news make Saudi dictators to come to their senses and recapture those young wild dogs’ leash to avoid Muslims exploiting hate against Saudi family.

If you did not stop attacks on Muslims in Yemen, do not blame anyone but yourself and expect greater harms.

One of the greater harms promised was that all their computers’ drives were encrypted by the hackers and were scheduled to be automatically wiped on May 20. DataBreaches.net has yet to see confirmation that the drives were wiped.