Full Report
Thousands of personal records allegedly linked to athletes and visitors of the Saudi Games have been published online by a pro-Iranian hacktivist group called Cyber Fattah. Cybersecurity company Resecurity said the breach was announced on Telegram on June 22, 2025, in the form of SQL database dumps, characterizing it as an information operation "carried out by Iran and its proxies." "The actors
Analysis Summary
# Incident Report: Saudi Games Data Leak by Pro-Iranian Hacktivists
## Executive Summary
The pro-Iranian hacktivist group Cyber Fattah announced a data breach on June 22, 2025, leaking sensitive records allegedly sourced from the Saudi Games 2024 official website. The attack vector involved gaining unauthorized access to the system's phpMyAdmin backend, resulting in the exfiltration of personal data belonging to athletes and visitors, including credentials and ID copies. This incident is characterized as an information operation intended to support broader anti-U.S., anti-Israel, and anti-Saudi propaganda.
## Incident Details
- **Discovery Date:** June 22, 2025 (Date of announcement on Telegram)
- **Incident Date:** Occurred prior to June 22, 2025 (Data sourced likely from Saudi Games 2024)
- **Affected Organization:** Saudi Games 2024 (Official Website/Database)
- **Sector:** Sports/Government Administration
- **Geography:** Saudi Arabia (Target), Data announcement on Telegram
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown, prior to June 22, 2025
- **Vector:** Unauthorized access to phpMyAdmin (backend interface) of the Saudi Games 2024 official website.
- **Details:** Direct database access was achieved, facilitating data extraction.
### Lateral Movement
- Not explicitly detailed, but access to the phpMyAdmin backend suggests direct database access privileges were obtained or exploited.
### Data Exfiltration/Impact
- **What was stolen or damaged:** Thousands of personal records, including IT staff credentials, government official email addresses, athletes' and visitors' information, passports and ID cards, bank statements, medical forms, and scanned copies of sensitive documents.
### Detection & Response
- **How it was discovered:** The breach was publicly announced by the threat actor group Cyber Fattah on the Telegram platform.
- **Response actions taken:** Not detailed in the provided text, beyond the documentation and analysis by cybersecurity firms like Resecurity.
## Attack Methodology
- **Initial Access:** Unauthorized access to phpMyAdmin backend.
- **Persistence:** Not specified.
- **Privilege Escalation:** Not specified, but sufficient privileges were obtained to access and exfiltrate database contents.
- **Defense Evasion:** The nature of the public announcement suggests the attackers were focused on information disclosure rather than stealthy long-term operations.
- **Credential Access:** IT staff credentials were among the data stolen.
- **Discovery:** Directly queried/dumped the accessible database.
- **Lateral Movement:** N/A (Direct database compromise)
- **Collection:** SQL database dumps were exfiltrated from the backend interface.
- **Exfiltration:** Data was published via SQL database dumps on Telegram.
- **Impact:** Mass publication of sensitive personal data to serve propaganda objectives.
## Impact Assessment
- **Financial:** Unknown/Not specified.
- **Data Breach:** Thousands of personal records, including PII, financial documents (bank statements), medical forms, passports, ID cards, and IT staff credentials.
- **Operational:** Potential operational disruption due to the compromise of IT staff credentials; immediate reputational damage.
- **Reputational:** Significant reputational damage to the Saudi Games organization and potentially the Saudi government due to the exposure of sensitive national and personal data.
## Indicators of Compromise
- **Network indicators (defanged):** N/A (Specific IPs/Domains not listed, only Telegram as the distribution platform).
- **File indicators:** SQL database dumps.
- **Behavioral indicators:** Announcement of data leak on Telegram on June 22, 2025; publication of data on DarkForums by user ZeroDayX.
## Response Actions
- **Containment measures:** Not specified in the source material.
- **Eradication steps:** Not specified in the source material.
- **Recovery actions:** Not specified in the source material. *Implied requirement to reset compromised credentials and notify affected individuals.*
## Lessons Learned
- **Key takeaways:** Public-facing web service backends (like phpMyAdmin) remain a critical vulnerability if not properly secured, segmented, or monitored. Hacktivist activity in the Middle East is increasingly leveraging data breaches for broad geopolitical propaganda campaigns (anti-US, anti-Israel, anti-Saudi focus).
- **What could have been done better:** Stronger access controls, multi-factor authentication (MFA) enforced for administrative backends, and network segmentation to isolate data stores from publicly accessible web applications.
## Recommendations
- Implement strict access controls and MFA for all administrative interfaces, particularly phpMyAdmin or similar database management tools.
- Conduct comprehensive security audits focused on backend infrastructure linked to public-facing websites used for major national events.
- Enhance monitoring for unusual database export activities or large data transfers originating from web application servers.