Could a Germany-based Tunisian student be behind the cyberattack on Morocco's CNSS ?

The cyberattack that targeted the Moroccan Employment Ministry this week compromised 3,000 pay slips belonging to its employees. The breach also affected the National Social Security Fund (CNSS), leaking details of nearly 500,000 companies and thousands of salary declarations.

The hacker group, which identified itself as Algerian, made its motivations clear, stating on their Telegram channel that the attack was a response to the actions of Moroccan hackers who «stole the Twitter account of the Algerian Press Service (APS)».

«100% of cybersecurity guys leave trails behind them»

But were the hackers behind what could be called the largest data leak targeting Morocco really orchestrated by Algerians? An investigation conducted by a cybersecurity group and sent to Yabiladi suggests that the perperator could be a Tunisian student based in Germany.

«100% of cybersecurity guys leave trails behind them. Who is behind the CNSS Hack?» reads the title of the inquiry. The investigation indicates that the Telegram group Jabarout DZ announced the compromise of sensitive CNSS data, but the message wasn’t «posted directly by the group but was forwarded from another Telegram user». This user is reportedly identified as «3N16M4».

Suspiciously, the investigation notes, this initial message was deleted and reposted, this time without the «forward from» user name. The authors of the investigation believe this deletion was a «mistake», suggesting that the hacker either forwarded the message from their own account by mistake or from the account of the individual behind the hack. They speculate that the error was quickly backtracked by deleting the message.

This mistake was the starting point for the investigators. When they inquired about that same username, they found it was associated with an account on GitHub, a platform where developers can create, store, manage, and share their code. «The profile belongs to a user with a keen interest in IT, showcasing numerous repositories filled with programming projects», the investigators noted.

A possible link to a Tunisian student

This led to the discovery of the user's email address, full name, and country, which could point to the individual behind the CNSS breach. «We’ve uncovered some valuable information—an email address that appears to be from a German university», wrote the experts, adding that further checks even revealed «the real full name of the user», who is believed to be «related to the IT industry, and perhaps even to the hacking field».

The individual is believed to be a security engineer living in Bochum, Germany. Further checks by the group suggest he is a Tunisian student based in Germany, who is believed to have studied at Ostfalia University, as «one of his email addresses is still active in the university’s database», the group claims.

«These are the findings to date, and the investigation is still ongoing. We are solely conducting public reconnaissance without accusing anyone yet», the group stated, backing their investigation with photos.