Full Report
A cyber-attack by pro-Iranian group Cyber Fattah has leaked personal information from the Saudi Games online
Analysis Summary
# Incident Report: Saudi Games Data Breach by Cyber Fattah
## Executive Summary
A cyber-attack, attributed to the pro-Iranian hacktivist group Cyber Fattah, resulted in the exfiltration of thousands of personal records belonging to Saudi Games athletes and visitors. Attackers gained unauthorized access to data stored behind phpMyAdmin systems, leading to the public release of sensitive documents, including passports, IDs, medical certificates, and banking information. The incident appears to be a politically motivated operation linked to broader geopolitical tensions in the region.
## Incident Details
- **Discovery Date:** June 22, 2025 (Date of leak publication)
- **Incident Date:** Prior to June 22, 2025 (Date implies unauthorized access achieved)
- **Affected Organization:** Saudi Games (Specific entity related to Saudi sporting events)
- **Sector:** Sports/Government Infrastructure
- **Geography:** Saudi Arabia (Inferred from target)
## Timeline of Events
### Initial Access
- **Date/Time:** Undisclosed, prior to June 22, 2025
- **Vector:** Unauthorized access to phpMyAdmin systems.
- **Details:** Attackers exploited vulnerabilities allowing them to gain backend database access.
### Lateral Movement
- Not explicitly detailed, but suggested by the broad scope of data accessed (staff credentials, visitor records).
### Data Exfiltration/Impact
- **Details:** Threat actors extracted and subsequently published SQL dump files containing sensitive personal records.
- **Impacted Data:** Scans of passports, ID cards, medical certificates, International Bank Account Numbers (IBANs), and credentials for IT staff and government officials.
### Detection & Response
- **Detection:** Public disclosure of data on June 22, 2025, when Cyber Fattah published the SQL dumps.
- **Response Actions:** Not detailed in the provided text, but the incident analysis places it within a context of broader military/political escalation.
## Attack Methodology
- **Initial Access:** Unauthorized access to backend administrative tools (phpMyAdmin).
- **Persistence:** Not specified, implied via successful staging of data for exfiltration.
- **Privilege Escalation:** Not specified, but gaining access to data spanning athletes, visitors, and IT staff suggests high-level access or database administrator privileges.
- **Defense Evasion:** Not specified, but the use of a targeted information operation suggests stealth until detonation (publication).
- **Credential Access:** IT staff and government official credentials were among the stolen data.
- **Discovery:** External monitoring/analysis by security researchers (e.g., Resecurity) identified the campaign.
- **Lateral Movement:** Implied movement across systems to collect comprehensive datasets.
- **Collection:** Targeting PII, financial data (IBANs), and official identification documents.
- **Exfiltration:** Uploading and publishing SQL dump files online.
- **Impact:** Data leakage and reputational damage related to national sporting events.
## Impact Assessment
- **Financial:** Not quantified, but likely involves costs for investigation, notification, and potential regulatory fines.
- **Data Breach:** High severity; includes passports, ID scans, medical certificates, IBANs, and high-level credentials. Thousands of records compromised.
- **Operational:** Potential disruption to IT operations due to compromised staff credentials.
- **Reputational:** Significant reputational damage impacting confidence in the security apparatus surrounding major national events.
## Indicators of Compromise
- **Network Indicators:** (None explicitly provided in the text; focus is on the actor and published data.)
- **File Indicators:** SQL dump files containing leaked data.
- **Behavioral Indicators:** Publishing stolen data related to politically charged events (anti-US, anti-Israel, anti-Saudi narratives).
## Response Actions
*Note: Specific incident response actions taken by the target organization were not detailed in the provided text.*
- **Containment:** (Assumed necessary, but not specified) Cutting off network access associated with compromised phpMyAdmin instances.
- **Eradication:** (Assumed necessary, but not specified) Resetting credentials of IT staff and officials whose data was stolen.
- **Recovery:** (Assumed necessary, but not specified) Notifying impacted individuals and potentially engaging forensic services.
## Lessons Learned
- **Configuration Management:** Critical administrative interfaces like phpMyAdmin must be rigorously secured, possibly removing public access or enforcing stricter access controls.
- **Geopolitical Risk:** High-profile national events are attractive targets for politically motivated hacktivist groups operating in coordination with state interests.
- **Data Minimization:** Reviewing and reducing the storage of highly sensitive PII and financial data (like IBANs) to the absolute minimum required.
## Recommendations
1. **Harden Database Management Interfaces:** Immediately restrict external access to all phpMyAdmin or similar administrative web panels. Implement strong MFA and place these tools behind VPNs or internal-only subnets.
2. **Credential Review:** Conduct an immediate enterprise-wide password reset for all IT staff and government officials whose credentials may have been exposed.
3. **Proactive Threat Intelligence:** Enhance monitoring for activity associated with known nation-state affilated groups (like Cyber Fattah) targeting regional sports or government entities.
4. **Data Classification Audit:** Review the storage of sensitive data (IBANs, Scanned Documents) and implement stronger encryption-at-rest policies.