Several months ago, during a discussion with a public institution leader, the subject of **cyberattacks** was raised with urgency. Other organizations had previously been targeted, prompting the question: had his institution taken preventive measures? The response was definitive: significant investments had been made, systems were in place, and the risk appeared to be under control. What he was unaware of at that moment was that terabytes of data from his institution were being silently siphoned off. While he was not entirely wrong in his assessment—the internal systems were indeed secure—one of his external vendors, lacking adequate security, had inadvertently opened access to the entire architecture. This scenario illustrates a critical truth: an institution can bolster its own defenses yet remain vulnerable due to a contractor's weaknesses, poorly maintained components, third-party access, human error, or insufficiently segmented architecture. In the realm of cyberspace, the strength of an entity is only as robust as the weakest link in its ecosystem.
This reality underscores the significance of recent attacks. They do not imply that Morocco has been stagnant; rather, they highlight that a nation accelerating its digital services also inherently increases the strategic value of its data. The Kingdom has made notable strides in digitalization and now must focus on enhancing its security, governance, and resilience frameworks to match this progress.
A Series of Attacks Escalating in Scale
The recent wave of attacks began in April 2025, when a hacker group identifying itself as **Jabaroot** published nearly two million personal data records attributed to the **National Social Security Fund** on **Telegram**. The claimed volume also hinted at breaches involving hundreds of thousands of businesses. As is typical in such cases, figures derived from claims should be treated cautiously until validated by official or independent expertise. Nevertheless, the public impact was immediate: social data became a tool for coercion.
In June 2025, the **National Agency for Land Conservation, Cadastre and Mapping** (ANCFCC) faced similar allegations, with over 4 terabytes of data reported as exfiltrated. The nature of the leaked documents significantly heightened the severity of the incident, as property certificates, sales deeds, notarized contracts, and patrimonial elements involve legal security, land trust, and sometimes the economic privacy of the individuals involved.
Subsequent attacks targeted various infrastructures, including the Ministry of Economic Inclusion, Small Business, Employment and Skills, and several social organizations. In January 2026, during the **CAN 2025**, the **Royal Moroccan Football Federation** was also compromised. Following that, in March and April 2026, the **National Fund for Social Welfare Organizations** (CNOPS) was cited among those affected, potentially impacting millions of members.
Additionally, a distinct wave affected the **National Commission for the Control of Personal Data Protection** (CNDP), the site of **ENCG Kénitra**, and the **AI Movement** platform of UM6P. More recently, sales deeds involving public figures and businessmen, along with powers of attorney and notarized contracts from the Tawtik platform managed by ANCFCC in connection with the National Council of the Order of Notaries, were disclosed on the dark web. On May 18, 2026, over 690,000 records attributed to the civil registry platform Watiqa.ma were leaked on Telegram.
This timeline does not merely represent an accumulation of incidents; it indicates a shift in scale. While the targets vary, the underlying mechanism remains the same: a technical attack evolves into an assault on trust. The objective extends beyond merely compromising a server; it jeopardizes service continuity, institutional reputation, citizen security, and the public's perception of its ability to safeguard digital assets.
The Paradox of a Strong Framework Amid Uneven Resilience
The primary takeaway reveals a paradox: Morocco possesses a recognized institutional and regulatory framework. According to the International Telecommunication Union's cybersecurity index, the Kingdom scored 97.5 out of 100 in 2024, ranking among the best globally. It is also acknowledged as a regional leader in Africa and stands 34th in the **Global Cybersecurity Index**. These results are not merely ornamental; they reflect genuine efforts in national strategy, legal frameworks, specialized structures, a central role for the **National Information Systems Security Directive** (DGSSI), the presence of maCERT, and the escalation of governance measures. However, having a framework alone is insufficient to withstand an attack. Compliance indicates the existence of rules, institutions, and measures, while resilience is demonstrated through response times, the quality of backups, database segmentation, continuous monitoring, crisis communication, and the ability to restore services without exacerbating risks. This distinction is at the heart of the issue.
Morocco does not suffer from a lack of digital maturity; instead, it faces the classic challenge of rapidly digitizing nations: the attack surface often expands faster than protective reflexes can keep up. Each online platform, digitized registry, and interconnected database enhances efficiency but simultaneously creates a new strategic asset. Public data is no longer merely a management tool; it has become a resource of power that can be sold, fragmented, enriched, cross-referenced, and exploited for phishing, impersonation, extortion, fraud, or propaganda. Stolen data is rarely disclosed all at once; it may circulate in closed networks, be resold on the dark web for untraceable cryptocurrencies, and later reemerge when its dissemination has the most significant media or political impact. When a hostile actor seeks to destabilize a state, they strategically release information to sustain a climate of enduring suspicion. Public leaks often represent just the visible tip of a much older breach.
The diagnosis of these vulnerabilities is not merely a blame game but rather an examination of interdependent fragilities. The most apparent vulnerabilities arise from outdated, heterogeneous, or poorly maintained systems. Experts frequently cite phishing as a favored entry point, as emails masquerading as clients, suppliers, or official services can lead an employee or official to open a malicious attachment or click a harmful link, triggering ransomware or unauthorized access. In some cases, a critical vulnerability in a third-party vendor, such as Oracle, which had an authentication flaw reported in March 2025, has also been considered among the technical hypotheses. However, this point should remain hypothetical until no official attribution confirms it.
The subcontracting chain perpetuates this exposure. In the case of the CNDP, the incident was linked to an outdated plugin on the website, representing a basic maintenance oversight. More broadly, every delegated access, opened interface, technical account, and component installed at a vendor becomes a point of vigilance. Digital transformation requires integrators, hosts, maintainers, cloud providers, and external developers. While such outsourcing is standard, it becomes vulnerable when not governed by stringent contractual requirements, regular audits, effective logging, incident notification, and strict access control.
The gap between regulatory frameworks and operational realities exacerbates this risk. The UIT score of 97.5 out of 100 reflects a serious commitment, but it also serves as a reminder that an index measures a framework, not always the day-to-day robustness of each application. The true test lies in timely patches, tested backups, segmented databases, revised permissions, processed alerts, and rehearsed crisis protocols. An untested backup does not constitute protection; it is merely a promise.
Massive outsourcing adds its own complexity. According to the 2025 **AUSIM Barometer**, 64% of Moroccan companies outsource their **cybersecurity**. This trend can be effective when it relies on qualified vendors and demanding contracts but becomes risky if it leads to unchecked delegation, untracked third-party access, unclear responsibilities, or delayed incident notifications.
Lastly, artificial intelligence is transforming the very economy of cyberattacks. Phishing campaigns can now be crafted in highly credible French, Arabic, or English. Scripts can be generated, adapted, or enhanced more rapidly. Target recognition can be automated. **Deepfake** audio or video technologies open new avenues for identity theft. For novice profiles, AI lowers the entry barrier, while for experienced groups, it acts as a force multiplier. The threat is not only becoming more frequent; it is becoming industrialized.
Cybersecurity must evolve into a culture of governance. For too long, it has been viewed as the sole responsibility of IT departments. This perspective is no longer sufficient. Security now involves the lawyer validating a subcontracting contract, the business manager requesting new access, the employee receiving a suspicious email, the director arbitrating a budget, the communicator tasked with informing without minimizing or panicking, and the executive responsible for ensuring the continuity of public services. The Director General of DGSSI emphasized at **GITEX Africa 2026** that the challenges extend beyond technical boundaries and directly touch on sovereignty. Cybersecurity is no longer merely an operational cost; it has become a condition for operational sovereignty, determining a country's ability to protect its data, services, citizens, and major events.
The DGSSI, historically located within the National Defense Administration, has a rigorous security culture and plays a central role in protecting sensitive information systems. Recent changes to its status should be understood in this context: enhancing the institution's attractiveness, expanding the national pool of expertise, and integrating more specialized profiles from diverse backgrounds without pitting military skills against civilian competencies. The goal is not to suggest a lack of qualified personnel but to acknowledge that the global demand for cybersecurity expertise is growing faster than the available talent pools. Profiles in auditing, forensics, incident response, cryptography, cloud security, application security, data governance, or industrial protection are in high demand from all states and major corporations. For Morocco, consolidating these skills is a strategic imperative.
This consolidation cannot rely solely on the state. It necessitates a comprehensive ecosystem: initial training, continuing education, university laboratories, engineering schools, specialized startups, qualified providers, operational security centers, auditing capabilities, international partnerships, and a culture of **cyber hygiene** within both public administrations and private enterprises.
Emerging specialized companies have a significant role to play. However, many encounter barriers to entry in public and private markets, such as insufficient seniority, lack of volume references, or unfulfilled engineer thresholds. Their primary strength lies in their mastery of state-of-the-art technology and their continuous updates, as each day brings new threats. The challenge is not to relax security requirements but to find mechanisms that allow for the integration of these emerging competencies into public and private contracts when they are technically sound.
Finally, the recent attacks cannot be divorced from the strategic context in which they arise. The claim against the CNSS occurred following the reaffirmation of **U.S.** support for Moroccan sovereignty over the **Sahara**. The allegations against the ANCFCC came on the heels of British support for Morocco's autonomy plan. This timing raises legitimate questions but does not, in itself, constitute proof of orchestration. Serious analysis must hold two requirements together: not ignoring the possible geopolitical dimension while avoiding the transformation of correlation into certainty. The cyberspace landscape obscures accountability. Criminal groups, influence networks, opportunistic actors, hacktivists, and sometimes hostile powers can intersect without leaving a simple signature.
What can be cautiously stated is that certain campaigns blend hacking with politically motivated communication. Stolen data is sometimes accompanied by accusations, threats of further leaks, or narratives aimed at moralizing. The objective shifts from mere theft to potentially discrediting decision-makers, showcasing a supposed state incapacity, creating an atmosphere of distrust, or sustaining public suspicion. The exposure of real estate assets or semblances of conflicts of interest undermines the legitimacy of public actors, regardless of the veracity of the disclosed documents.
As reported by lematin.ma.
