#1 Middle East & Africa Trusted Cybersecurity News & Magazine |

32 C
Dubai
Thursday, July 10, 2025
HomeBreachedTelefónica Hit with Threat: 106 GB Data Leak Warning by Hellcat Hacker

Telefónica Hit with Threat: 106 GB Data Leak Warning by Hellcat Hacker

Date:

Related stories

Ransomware Gang Hunters International Shuts Down and Offers Free Decryption Keys

The ransomware gang Hunters International announced on 3 July...

How a $2.7K Bribe Enabled a $140 Million PIX Theft from Brazilian Banks

In a dramatic cyber heist on 30 June 2025, hackers paid...

Taiwan NSB Warns of Critical Cybersecurity Risks in China-Made Mobile Apps

Taiwan’s National Security Bureau (NSB) has flagged five popular...
spot_imgspot_imgspot_imgspot_img

A hacker known as “Rey,” affiliated with the Hellcat ransomware group, claims to have stolen 106 GB of internal data from Spanish telecom giant Telefónica on 30 May 2025, threatening full public release unless demands are met. This incident suggests a follow-up breach after the January 2025 Hellcat attack and raises concerns about lingering misconfigurations in critical internal systems-matters of immediate interest in cybersecurity services and security circles globally.

  • Late May 2025: Hellcat-associated hacker “Rey” claims 12-hour uninterrupted access to Telefónica’s internal Jira server due to a misconfiguration that followed a prior breach.
  • 30 May 2025: Alleged date of data exfiltration 106.3 GB spanning 385,311 files, including internal communications, purchase orders, logs, customer and employee records.
  • Early July 2025: A 2.6 GB sample leak (5 GB unpacked, ~20,000 files) is shared with media, containing employee emails and invoices across Europe and Latin America.

Telefónica’s Position

  • Telefónica O2 personnel told BleepingComputer that the leaked data is old, not indicative of a new breach.
  • The most recent timestamp in leaked files dates to 2021, supporting their claims of a past incident. Yet “Rey” maintains the data came from the May breach and continues leaking parts to pressure Telefónica.

Regional Resonance: Implications for MEA

MEA Regulatory Context

  • In the Middle East and Africa, regions prioritizing regulatory compliance (e.g., UAE’s NESA, South Africa’s POPIA), this incident highlights the risk posed by neglecting internal system security—even after an incident has seemed resolved.
  • Telecom operators in the region frequently deploy Jira and internal ticketing systems; the Telefónica case highlights a sector-wide attack surface.

Potential MEA Exposures

  • Multinational telecoms headquartered or operating in the MEA region might share similar internal systems and codebases—misconfigurations could echo across borders.
  • Data involving MEA customers or employees (e.g., issuing invoices across Latin America and Europe) suggests that files could include MEA-linked data, though specific inclusion is not yet confirmed.

Global Context & Precedent

Hellcat’s History

  • Hellcat previously breached Telefónica in January 2025, stealing ~2.3 GB from its Jira system via compromised credentials.
  • The group also targeted Schneider Electric, exfiltrating 40 GB in November 2024, showcasing their desig­nature of exploiting Jira misconfigurations.

Emerging Leak-Drop Strategy

  • Hellcat’s tactics now include public sample releases as proof-of-breach, combining extortion-like pressure with stealth data dumps—reflecting a wider shift in ransomware/ leakware models used by groups like Clop and LockBit.

Technical Analysis (MITRE ATT&CK)

PhaseTechniqueTID
Initial AccessValid Accounts (stolen credentials)T1078
ExecutionUnauthenticated Access to Internal JiraT1190
DiscoveryInternal Ticketing System DiscoveryT1083
CollectionData from Information RepositoriesT1213
ExfiltrationAutomated Exfiltration via Cloud StorageT1048
ImpactData Disclosure (public/scheduled leak)T1491

IOCs: Shared sample files (~20,000 files) include metadata with .~2021 dates; threat actor hosting became known via PixelDrain and Kotizada links flagged unsafe by Chrome

Expert & Official Reactions

Cybersecurity Community

“Hellcat’s tactic of sifting old data while claiming recency is calculated to undermine trust—even old data proves glaring config failures.” – Mitchell Langley, Security Analyst

“A 12‑hour misconfigured Jira window speaks volumes about persistent gaps post‑incident.” – Antonio Fernandes, CISO (Spain) (bleepingcomputer.com)

Telefónica

  • Telefónica acknowledges January breach and confirms an internal server incident; but to date disclaims a fresh breach, attributing the current claims to extortion tactics based on old data

Actionable Takeaways for Defenders

  1. Audit and Lockdown Jira Instances: Enforce strict authentication, network whitelisting, and MFA on internal ticketing systems.
  2. Immediate Misconfiguration Detection: Regularly scan essential internal systems (like Jira) for hardening gaps.
  3. Credential Handling Hygiene: Rotate credentials and remove stale privileged accounts post-incident.
  4. Network Segmentation: Isolate internal dev systems from the wider enterprise network.
  5. Monitor Exfil Outputs: Watch for traffic to cloud storage endpoints like PixelDrain or Kotizada.
  6. Deploy EDR and UBA: Look for unusual file exfil operations or abnormal access spikes.
  7. Data Leak Follow-Up: Even old leaks can be repurposed; patch and harden swiftly.
  8. Incident Response Update: Include leak-timing and public proof-threat scenarios in tabletop exercises.
  9. Boost External Monitoring: Track dark web, hacker forums, and social channels for leak announcements.
  10. Prepare Communications: Have crisis messaging ready to manage disclosure and dispel extortion narratives.

Conclusion

The threatened release of 106 GB of Telefónica data underlines the precariousness of internal systems even those thought secured post-incident. For CISOs, SOC leaders, and MEA-based telecom operators, this is a wake‑up call to rethink incident response, system hardening, and threat monitoring. Whether the data is new or recycled, legacy vulnerabilities can still cripple trust and reputation. Immediate audits and stronger controls are vital to closing these dangerous gaps.

Sources

  • BleepingComputer – “Hacker leaks Telefónica data allegedly stolen…” (4 Jul 2025)
  • Cybernoz – Mirror coverage (4 Jul 2025)
  • Undercode News – Analysis of claim and silence (Jul 2025)
  • Daily Security Review – Employee impact & Malware insight (5 days ago)
  • SentryBay, TechRadar, ThaiCERT, others on January breach
Ouaissou DEMBELE
Ouaissou DEMBELEhttp://cybercory.com
Ouaissou DEMBELE is a seasoned cybersecurity expert with over 12 years of experience, specializing in purple teaming, governance, risk management, and compliance (GRC). He currently serves as Co-founder & Group CEO of Sainttly Group, a UAE-based conglomerate comprising Saintynet Cybersecurity, Cybercory.com, and CISO Paradise. At Saintynet, where he also acts as General Manager, Ouaissou leads the company’s cybersecurity vision—developing long-term strategies, ensuring regulatory compliance, and guiding clients in identifying and mitigating evolving threats. As CEO, his mission is to empower organizations with resilient, future-ready cybersecurity frameworks while driving innovation, trust, and strategic value across Sainttly Group’s divisions. Before founding Saintynet, Ouaissou held various consulting roles across the MEA region, collaborating with global organizations on security architecture, operations, and compliance programs. He is also an experienced speaker and trainer, frequently sharing his insights at industry conferences and professional events. Ouaissou holds and teaches multiple certifications, including CCNP Security, CEH, CISSP, CISM, CCSP, Security+, ITILv4, PMP, and ISO 27001, in addition to a Master’s Diploma in Network Security (2013). Through his deep expertise and leadership, Ouaissou plays a pivotal role at Cybercory.com as Editor-in-Chief, and remains a trusted advisor to organizations seeking to elevate their cybersecurity posture and resilience in an increasingly complex threat landscape.

Subscribe

- Never miss a story with notifications

- Gain full access to our premium content

- Browse free from up to 5 devices at once

Latest stories

spot_imgspot_imgspot_imgspot_img

LEAVE A REPLY

Please enter your comment!
Please enter your name here