Sensitive Data in Major Breach Against Spanish Union Servicios CCOO

In a significant escalation of cyber hostilities, the ransomware group Hunters International has publicly leaked 570 gigabytes of data stolen from Servicios CCOO, the services federation of Spain’s Comisiones Obreras (CCOO) trade union.

The breach, first disclosed on the dark web on March 3, 2025, follows a failed ransom negotiation after the group infiltrated the union’s servers and exfiltrated 689,764 files containing financial records, employee data, and internal communications.

The incident underscores the growing boldness of ransomware-as-a-service (RaaS) operations targeting high-profile organizations with limited cybersecurity defenses.

Technical Overview of the Attack

According to the post from HackManac,Hunters International, a group with suspected ties to Russian cybercriminals, employed a dual extortion strategy: encrypting critical systems and threatening to release stolen data unless a payment was made.

The attackers likely exploited vulnerabilities in CCOO’s remote work infrastructure, which had previously faced scrutiny under GDPR compliance after a 2021 data breach involving employee personal emails.

The group’s modus operandi aligns with its use of advanced persistent threats (APTs), including the SharpRhino remote access trojan (RAT), to bypass network defenses and establish lateral movement.

Data exfiltration occurred over an unspecified period, with Hunters International compressing the 570.8 GB dataset into encrypted archives before publishing it on their Tor-based leak site.

The leaked files reportedly include payroll details, membership records, and sensitive correspondence related to labor negotiations—a strategic move to maximize reputational damage.

Despite CCOO’s prior legal victory mandating corporate email use to protect worker privacy, the union’s reliance on hybrid remote-work tools may have introduced attack vectors exploited by the threat actors.

Impact on Servicios CCOO and Broader Implications

The breach disrupts CCOO’s operations at a critical juncture, as the union navigates nationwide labor reforms.

With over 689,000 files now circulating on dark web forums, the exposure of internal strategies and member data risks undermining trust in Spain’s largest labor organization.

Cybersecurity analysts warn that phishing campaigns leveraging stolen employee credentials could follow, targeting CCOO’s 11 million members.

GDPR compliance looms as another challenge.

Spain’s Data Protection Agency (AEPD) may investigate whether CCOO adhered to data minimization principles under Article 5(1)(c), particularly after the 2022 National High Court ruling requiring employers to provide secure communication channels.

Penalties could reach €20 million or 4% of global revenue if negligence is proven.

Hunter International’s Expanding Cyber Campaign

This attack reflects Hunters International’s pattern of targeting entities with high political or financial stakes.

In September 2024, the group extracted 6.6 TB of data from ICBC London, threatening global financial stability, while a 2024 U.S.

Marshals Service breach demonstrated their ability to compromise law enforcement networks.

Their RaaS model, which leases malware infrastructure to affiliates, enables rapid scalability; Barracuda reports over 134 victims across healthcare, finance, and critical infrastructure in 2025 alone.

Notably, the group avoids Russian targets, aligning with the Kremlin’s tacit tolerance of cybercriminals operating abroad.

Analysts attribute their rise to the 2023 collapse of the Hive ransomware syndicate, from which Hunters acquired encryption algorithms and dark web repositories.

Response and Mitigation Strategies

CCOO has yet to issue a public statement, but incident response protocols likely involve forensic audits by Spain’s National Cybersecurity Institute (INCIBE).

SentinelOne and Picus Security recommend immediate implementation of endpoint detection and response (EDR) systems, multi-factor authentication (MFA), and regular penetration testing to counter Hunters’ signature tactics.

Liam Davenport of SentryBay emphasizes, “Organizations must adopt zero-trust architectures and secure communication channels to mitigate keylogging and screen-capture attacks—common ingress points for ransomware.”

For unions and NGOs, merging IT and operational technology (OT) security frameworks is critical to safeguarding stakeholder data.

The Servicios CCOO breach highlights the escalating risks posed by RaaS operators to civil society organizations.

As Hunters International continues refining its tradecraft, proactive defense mechanisms—not reactive negotiations—are imperative to disrupt the cybercrime lifecycle.

Also Read:

Dark Web Deploys Potent Stitch-Based Remote Access Trojan (RAT)