Babuk ransomware, a cybercrime ring that targets major enterprises, has posted unverified claims about a massive data breach at Orange, a major telecom. Cybernews researchers who reviewed the provided sample believe the files might be genuine.
The hackers are claiming responsibility for an alleged cyberattack against Orange.
“We will publish 1TB if they do not want to negotiate with us,” Babuk ransomware threatens on its leak site on the dark web.
“And there is still a lot more that we stole, the sample is not much.”
The cybercriminals said they hacked into Orange on Sunday, March 16th, and stole “all information related to orange.com and orange.ro from Romania.”
If the post is to be believed, Babuk ransomware has obtained 4.5 terabytes of “very detailed” information.
The hackers listed email addresses, customer records, source code, internal documents, invoices, contracts, projects, tickets, user data, employee data, messages, credit cards, call logs, and other personally identifiable information (PII) among the stolen data.
Cybernews has contacted Orange and the French National Commission on Informatics and Liberty (CNIL) for clarification and will update the story with their responses.
The CNIL declined to comment on the alleged data breach at Orange, citing a lack of specific temporal details to address the inquiry.
If confirmed, the breach could pose severe risks to impacted Orange customers, as their private data and communications could be used to perform a wide variety of cyberattacks and craft convincing lures for phishing attacks or business email compromise schemes.
“The leaked data presents serious risks to both employees and the organization, exposing sensitive personal and corporate information that could lead to identity theft, targeted attacks, and further exploitation by malicious actors,” said Neringa Macijauskaitė, Information Security Researcher at Cybernews.
Babuk ransomware has recently made many high-profile unverified claims, including alleged breaches at Taobao, Pinduoduo, Jingdon, and multiple governmental agencies across the world.
It's unclear if and how the hackers could have gained access to so many large organizations in such a short time.
Orange is a French multinational telecommunications company with 137,000 employees. As of December 31st, 2023, it operated in 26 countries and served 287 million customers.
Last month, Cybernews reported on another cybersecurity incident at the company. Orange admitted that a hacker had stolen thousands of internal documents containing user records and employee data.
Babuk is a profit-driven ransomware cartel that offers its malware and support as a service and targets large enterprises. It first appeared in 2020, and SentinelOne researchers linked Babuk to another Russia-linked cybercriminal organization, Evil Corp.
Babuk was inactive for nearly a year, announcing its comeback in January with a series of posts on Telegram. Since then, the gang has claimed 60 new victims. In March alone, the gang posted over 30 organizations on its leak site.
The data sample suggests the files might be genuine
According to the Cybernews research team, which reviewed the sample, the provided data sample suggests that claims about a potential breach at Orange might be credible.
The threat actor uploaded a 6.44GB Orange data sample with thousands of Orange internal documents. Some files include employee data, like names, usernames, email addresses, and time zones, as well as a list of various Jira projects related to the Orange.ro domain. Jira is project management software for tracking and managing tasks, bugs, and other work-related issues.
One folder called “issues” contains 235 files detailing tasks related to system configuration, monitoring setup, user management, feature development, and others.
It also contains a file named “pii_extracted” with email addresses from orange.com, tremend.com/ro, and publicissapien.com domains, along with some phone numbers.
Another folder called “Files” contains around 8,600 internal documents.
The filenames suggest sensitive information such as customer conversations, financial data such as balances, invoices, conversion rates, and other employee and client information.
Updated on March 18th [12:00 p.m. GMT] with additional information from the Cybernews Research team.
Updated on March 20th [9:00 a.m. GMT] with CNIL response.
Your email address will not be published. Required fields are markedmarked