A hacker is threatening to leak 106GB of data allegedly stolen from Spanish telecommunications company Telefónica in a breach that the company did not acknowledge.
The threat actor has leaked a 2.6GB archive that unpacks into five gigabytes of data with a little over 20,000 files to prove that the breach occurred.
The breach allegedly occurred on May 30 and the hacker claims they had 12 hours of uninterrupted data exfiltration before defenders revoked access.
The hacker claiming responsibility for the attack is known as “Rey” and is a member of the Hellcat Ransomware group – responsible for another breach at Telefónica in January through an internal Jira development and ticketing server.
Rey told BleepingComputer that they exfiltrated 385,311 files totaling 106.3GB of internal communications (e.g. tickets, emails), purchase orders, internal logs, customer records, and employee data.
They also said that the May 30 breach was possible because of a Jira misconfiguration after the company dealt with the previous compromise.
BleepingComputer tried on multiple occasions since June 3rd to reach out to Telefónica over email. We also contacted several C-suite employees but received no acknowledgment of the May 30 breach.
The only response we received came from a Telefónica O2 employee, who dismissed the alleged incident as an extortion attempt using outdated information from a previously known incident.
Telefónica O2 is the Spanish company’s brand for its telecommunications businesses in the U.K. and Germany.
Rey shared with BleepingComputer a sample and file tree of the data allegedly stolen from Telefónica on May 30. Some of the files included invoices to business clients in multiple countries, including Hungary, Germany, Spain, Chile, and Peru.
In the files we received there were email addresses for employees in Spain, Germany, Peru, Argentina, and Chile, and invoices for business partners or customers in European countries.
The most recent file we could find in all the info Rey shared was from 2021, though, which seems to confirm what the company representative told us.
However, the hacker is adamant about the data coming from a new breach from May 30. To prove their point, they started leaking a part of the allegedly stolen files.
“Since Telefonica has been denying a recent 106 GB breach containing data from its internal infrastructure, I am releasing 5 GB here as proof. Soon, I will publish the full file tree, and over the next few weeks, if Telefonica does not comply, the entire archive will be released. ;)” – Rey said.
The data was initially distributed using the PixelDrain storage and data transfer services but it was removed after a few hours for legal reasons.
The threat actor later distributed another download link from Kotizada, a service then turned to another service, Kotizada, which Google Chrome flags as a dangerous site and strongly recommends users to avoid it.
Until Telefónica provides an official statement, it is unclear if this is a new breach consisting of old data. However, from BleepingComputer’s findings, some of the email addresses in the leak belong to active employees.
The HellCat hacking group is not new on the scene and they are typically focused on targeting Jira servers. They are responsible for multiple attacks at high-profile companies.
They claimed compromises at Swiss global solutions provider Ascom, Jaguar Land Rover, Affinitiv Schneider Electric, and Orange Group.
While cloud attacks may be growing more sophisticated, attackers still succeed with surprisingly simple techniques.
Drawing from Wiz’s detections across thousands of organizations, this report reveals 8 key techniques used by cloud-fluent threat actors.