French telecommunications provider Orange Group has confirmed a cyberattack targeting its Romanian operations. The company disclosed the incident to BleepingComputer, stating that it involved a non-critical back-office application and had no impact on customer services. Orange’s cybersecurity and IT teams are conducting an investigation to determine the extent of the breach and minimise any potential risks.
A hacker known as “Rey,” who is associated with the HellCat ransomware group, has claimed responsibility for the breach. The hacker alleges they maintained access to Orange’s systems for over a month before extracting data over a three-hour period without being detected. According to Rey, an attempt was made to extort the company, but when Orange did not respond, the stolen data was leaked on a hacker forum. Rey told that the breach was not part of a HellCat ransomware operation. However, the hacker is a known member of the group, which has previously been linked to cyberattacks on other organisations.
Hacker publishes stolen data after extortion attempt fails
The compromised data primarily concerns Orange Romania and includes approximately 380,000 unique email addresses, internal company documents, and customer information. Samples of the stolen data contain email addresses belonging to current and former employees, partners, and contractors. The leak also includes source code, invoices, contracts, and partial payment card details linked to Romanian customers.
Some of the data appears to be outdated. Certain email addresses belong to individuals who have not been affiliated with Orange Romania for more than five years, and many of the exposed payment card details have already expired. Additionally, customer records from Yoxo, Orange’s contract-free subscription service, were included in the breach.
Rey claims that access to Orange’s systems was obtained through a combination of compromised credentials and vulnerabilities in Jira, the company’s issue-tracking software. Internal portals were also targeted as part of the attack. The hacker stated that a ransom note was left on the compromised system, but the company did not engage in any negotiations.
In response to inquiries, Orange confirmed the cyberattack and provided assurances that it was taking action to address the breach. “Orange can confirm that our operations in Romania have been the target of a cyberattack,” a company spokesperson said. “We took immediate action, and our top priority remains protecting the data and interests of our employees, customers, and partners. There has been no impact on customers’ operations, and the breach was found to occur on a non-critical back-office application.” The company added that it is complying with legal obligations related to the breach and is cooperating with relevant authorities.
While Rey claims to have acted independently in this breach, they remain affiliated with the HellCat ransomware group, which has previously targeted large organisations. The group has claimed responsibility for cyberattacks on Schneider Electric and Spanish telecommunications provider Telefónica. In those cases, attackers exploited Jira servers to exfiltrate 40GB of data from Schneider Electric and 2.5GB from Telefónica.
Read more: Salt Typhoon exploits Cisco devices to access US telecom infrastructure
