Bahrain National Security Agency Claimed 200GB Email Server Exfiltration

• .What: Claimed 200GB exfiltration from Bahrain's National Security Agency email server - the third such claim against Bahraini security infrastructure since July 2025.
• .Who: Bahrain NSA (nsa.gov.bh) - the Kingdom's primary intelligence and secret police agency, established 2002 via Royal Decree No. 14, with links to US, UK, and GCC intelligence partners.
• .How: Attack vector not disclosed; email server compromise consistent with exploitation of on-premises Microsoft Exchange vulnerabilities or credential-based access.
• .Data: Claimed internal correspondence and emails from 50 user accounts - potentially including intelligence assessments, foreign liaison communications, counter-terrorism analysis, surveillance operation details, and personnel identities.
• .Actor: TheAshborn (also targeted Malaysian military/government entities 48 hours later); prior claims by BIGBROTHER (July 2025, MOI, USD 9,999 in Monero) and ShinyHunters (September 2025, both MOI + NSA).
• .Impact: Intelligence exposure risk assessed as severe given US Fifth Fleet, UK UKMCC (HMS Jufair), and GCC intelligence-sharing relationships formalized under the 2023 C-SIPA agreement. No official Bahraini statement issued for any of the three claims.

On July 29, 2025, a threat actor using the alias BIGBROTHER posted on a dark web forum claiming to have breached the Ministry of Interior email server (interior.gov.bh). The listing claimed 200GB of data from 60 user accounts, priced at USD 9,999 in Monero (XMR).

A double-extortion option offered to "delete the data forever" for USD 19,999.

Less than two months later, on September 20, 2025, ShinyHunters - one of the most prolific cybercrime groups in the world, tracked by Palo Alto as Bling Libra and by Google as UNC6395 - posted two separate claims.

The first mirrored BIGBROTHER's MOI listing almost exactly: 200GB, 60 users, USD 10,000. The second introduced a new target: the National Security Agency (nsa.gov.bh), with 200GB from 50 users at USD 10,000. Both circulated through the "Scattered Lapsus$ Hunters Official" Telegram channel and were amplified across forums associated with BlackCat, Babuk, and Lapsus$.

The identical volume and user count between ShinyHunters' MOI listing and BIGBROTHER's strongly suggests the same dataset was being resold.

On February 24, 2026, TheAshborn posted a new claim against the NSA email server: 200GB, 50 accounts.

Two days later, the same actor posted listings for Malaysian government databases including the Ministry of Defence, Ministry of Home Affairs, and Malaysian Army personnel data - establishing a pattern of targeting government intelligence and military entities across multiple countries in rapid succession.

Bahrain issued no official statement about any of the three claims. No breach notification was filed.

Four days after TheAshborn's claim, on February 28, 2026, Iranian missiles and drones struck Naval Support Activity Bahrain - the US Fifth Fleet headquarters - as well as Mina Salman Port, civilian areas in Manama including a 20-story building, and a desalination plant.

This timing does not establish a causal connection, but the convergence of cyber claims and kinetic strikes against the same security infrastructure within days underscores the compounding threat landscape.

TheAshborn is a recently emerged threat actor with no documented activity prior to February 2026. Within 48 hours, they posted breach claims against government and military targets in two countries: Bahrain's NSA and at least five Malaysian government ministries plus Malaysian Army personnel data.

The Malaysian claims included PII such as full names, military email addresses, mobile numbers, ranks, unit assignments, and internal identifiers. Malaysia's national cybersecurity agency confirmed it was investigating.

ShinyHunters, by contrast, is extensively documented - active since 2020 with 400+ compromised organizations, operator of BreachForums (June 2023 to May 2024), and responsible for the 2025 Salesforce campaign described by Google as the largest SaaS compromise in history.

Key member Sebastien Raoult was sentenced to three years in January 2024. The group now operates within the Scattered LAPSUS$ Hunters (SLH) collective.

BIGBROTHER has minimal public profile, appearing on dark web data broker listings in 2025 but with no specific attribution.

The relationship between the three claims is ambiguous. The MOI data was likely resold by ShinyHunters after BIGBROTHER's original listing.

Whether the NSA data represents recycled ShinyHunters data, independent exfiltrations from a persistently compromised server, or shared initial access sold to multiple buyers remains unconfirmed.

If the claims are authentic, a 200GB email server dump from an intelligence agency would likely contain:

Intelligence operations data - internal assessments, threat briefings, operational planning, field reports, counter-terrorism and counter-espionage analysis.

Given the NSA's documented focus on countering Iranian influence operations since 2011, this could include monitoring of Iranian proxies and cross-border operations.

Foreign intelligence liaison communications - Bahrain maintains intelligence-sharing relationships with US CENTCOM/Fifth Fleet (8,000 personnel at NSA Bahrain), UK UKMCC at HMS Jufair (1,000+ sailors and Royal Marines), and GCC services (Saudi GIP, UAE NESA, Kuwait State Security).

These relationships were formalized through the 2023 C-SIPA agreement, which explicitly includes intelligence sharing and cybersecurity cooperation.

If US or UK intelligence products were present, exposure could compromise coalition intelligence operations across the Arabian Gulf.

Surveillance operation details - the NSA's documented use of Pegasus spyware (acquired 2017) and FinFisher (used against 77 targets during the 2011 crackdown) means email correspondence could reveal current surveillance targets and methodologies.

Personnel identities - names, positions, and organizational assignments of intelligence officers. The NSA's workforce is majority non-Bahraini, meaning foreign nationals serving in sensitive positions could also be exposed.

Intelligence officer identities cannot be "changed" like passwords - once exposed, networks may need to be rebuilt from the ground up.

1. Internet-accessible email infrastructure. Intelligence agency email should not be reachable from the public internet.

Government email servers in the Gulf frequently run on-premises Microsoft Exchange with OWA exposed - a configuration CISA and NSA specifically warned against in their October 2025 Exchange Server Security Best Practices guide.

2. Likely unpatched Exchange vulnerabilities. ProxyLogon (CVE-2021-26855), ProxyShell (CVE-2021-34473), and ProxyNotShell (CVE-2022-41040) remain the most exploited email server vulnerabilities globally.

Microsoft ended support for all on-premises Exchange versions except Subscription Edition on October 14, 2025. If the NSA was running unsupported Exchange, it had no security updates.

3. Absent or weak MFA. Compromise of 50 accounts is inconsistent with properly configured phishing-resistant MFA. If OWA was accessible with password-only authentication, credential stuffing or phishing could provide initial access.

4. No data loss prevention. 200GB of email data allegedly exfiltrated without detection - requiring sustained transfer over hours or days, invisible without DLP or egress monitoring.

5. Repeated compromise without remediation. Three actors claimed access to the same infrastructure over eight months. If any claim is genuine, the failure to investigate and remediate after the first enabled subsequent exploitation.

6. Systemic capability gaps confirmed by national metrics. Bahrain's NCSI scores (December 2024): 0% in Cyber Crisis Management, 0% in Cybersecurity R&D, 50% in Cyber Threat Analysis, 56% in Fight Against Cybercrime.

These are not anecdotal observations - they are the country's own measured capabilities.

• .Bahrain PDPL (Law No. 30/2018) - Article 3 establishes a broad national security exemption rendering the PDPL largely inapplicable to the NSA itself. However, administrative employee personal data (HR records, contact information) may fall outside this exemption. Criminal penalties: imprisonment up to 1 year and/or fines of BD 1,000 to BD 20,000 (USD 2,650 to USD 53,200), doubled for corporate entities. 72-hour breach notification required - none filed for any of the three claims. No enforcement actions have been documented under the PDPL since its entry into force in August 2019.

• .Fundamental regulatory gap - The national security exemption creates an accountability vacuum: the most sensitive data the government holds is excluded from the only law designed to protect personal data. The BD 20,000 maximum penalty is inconsequential for intelligence infrastructure breaches.

• .US implications - If US intelligence products or personnel data were present, this intersects with Executive Order 14028, FISMA requirements for shared information, and intelligence oversight under C-SIPA. The February 28, 2026 physical attack on NSA Bahrain compounds concerns about US intelligence asset security in the Kingdom.

• .UK implications - UK GDPR / DPA 2018 could apply if personal data of UK military personnel at HMS Jufair was present in Bahraini intelligence communications. ICO could theoretically investigate.

• .GCC implications - Saudi PDPL, UAE PDPL, Kuwait, Oman PDPL, and Qatar PDPA could all apply if intelligence-sharing communications contained personal data of nationals from these jurisdictions.

1. Air-gap intelligence email from the public internet. Implement a classified network (similar to SIPRNet/JWICS models) with physical separation from unclassified systems. The CISA/NSA Exchange Server Security Best Practices guide specifically recommends this.

2. Patch Exchange aggressively or migrate off on-premises Exchange. Microsoft ended support for all versions except Subscription Edition on October 14, 2025. Migrate to sovereign cloud or adopt SE with latest CUs.

3. Deploy phishing-resistant MFA (FIDO2 hardware security keys) on all email access. Password-based authentication for an intelligence agency is indefensible.

4. Implement DLP and egress monitoring. 200GB cannot be exfiltrated without detection if DLP policies are enforced at the mail transport layer.

5. Enforce end-to-end email encryption. S/MIME or PGP with HSM-backed key storage for all classified communications. Even if the server is compromised, encrypted message bodies remain unreadable.

6. Investigate and remediate after the first claim. BIGBROTHER's July 2025 listing should have triggered immediate forensic investigation. Three claims in eight months with no response reflects Bahrain's 0% NCSI score in Cyber Crisis Management.

NET, CISA/NSA Microsoft Exchange Server Security Best Practices (October 2025), NCSI (e-Governance Academy), Library of Congress, Citizen Lab (Pegasus), Amnesty International, US State Department (C-SIPA), Bahrain PDPL (Law No.