The hackers employed information stealer malware to steal the credentials of several Telefonica employees and gain access to the company's internal ticketing system.
The data breach was revealed last week when members of the Hellcat ransomware group (which had previously claimed responsibility for the Schneider Electric attack) boasted on the BreachForums cybercrime website about stealing customer data, ticket data, and hundreds of files from the Spain-based telecom provider.
According to cybersecurity firm Hudson Rock, the attack was "facilitated by a combination of infostealer malware and sophisticated social engineering techniques".
The attackers told Hudson Rock that they utilised custom infostealer malware to breach the credentials of over 15 Telefonica employees and get access to the firm's Jira platform. After getting access to the platform, the attackers apparently targeted two employees with administrator credentials, "tricking them into revealing the correct server for brute-forcing SSH access".
The perpetrators stole a list of 24,000 Telefonica staff emails and identities, 500,000 summaries of internal Jira issues, and 5,000 internal documents, which included internal email chats and other contents.
The stolen data could expose Telefonica personnel to phishing and other forms of social engineering attacks, as well as operational details, security flaws in the company's infrastructure, strategic goals, and other sensitive internal information.
Hudson Rock claims that last year, 531 employee PCs connected to Telefonica's network were infected with infostealers, possibly exposing company credentials on each machine. Additionally, it seems that the company did not implement corporate infrastructure password policies that were robust.
“For the URL linked to the initial access, the passwords were even weaker, indicating that it wouldn’t have taken an infostealer infection for hackers to brute force their way in,” the cybersecurity firm noted.
In other cases of infostealer infections, Telefonica employees' credentials to third-party services such as Fortinet, Office 365, and Salesforce were stolen.
“These infections provide hackers with the necessary credentials to infiltrate systems and, as demonstrated in this case, can be leveraged to expand access further through sophisticated social engineering tactics. Infostealers serve as a stepping stone for more advanced attacks, making them a significant concern for organizations worldwide,” Hudson Rock added.
In response to a local media outlet's request, Telefonica confirmed the incident but declined to provide any other details on the potentially compromised data.
“We have become aware of an unauthorized access to an internal ticketing system which we use at Telefónica. We continue to investigate the extent of the incident but can confirm that Telefónica´s residential customers have not been affected. From the very beginning, we have taken the necessary steps to block any unauthorized access to the system,” Telefonica stated.
Telefonica, a multinational telecommunications firm headquartered in Madrid, Spain, operates in a dozen countries worldwide under various brands such as Movistar, O2, Telefonica, Telxius, and Vivo.