%20(1).webp?w=1600&resize=1600,900&ssl=1)
A data breach at Orange Group, one of France’s largest telecommunications providers, has exposed sensitive corporate and customer data after a threat actor leaked thousands of internal documents on a dark web forum.
Using the alias “Rey” and claiming affiliation with the HellCat ransomware group, the hacker published approximately 12,000 (6.5GB) files containing source code, invoices, contracts, and partial payment card details.
Orange confirmed the breach originated from a “non-critical back-office application” in its Romanian branch, emphasizing no disruption to customer operations.
Technical Exploitation and Data Exfiltration
According to the post from ThreatMon, Rey gained prolonged access to Orange’s systems by exploiting compromised credentials and vulnerabilities in the company’s Jira issue-tracking software and internal portals.
Over a month of undetected access culminated in a three-hour data exfiltration window on February 25, 2025, during which Rey extracted 380,000 unique email addresses, employee records, and project documents.
Notably, much of the leaked payment card data belonged to Romanian customers and was outdated or expired, mitigating immediate financial risks.
The attacker left a ransom note but reported no engagement from Orange.
Rey clarified this was not a ransomware operation but a standalone breach, despite their HellCat affiliation—a group linked to high-profile attacks on Schneider Electric and Telefónica via Jira server exploits.
Corporate Response and Mitigation Efforts
Orange Romania initiated an internal investigation, collaborating with cybersecurity teams and authorities to assess the breach’s scope.
A spokesperson stated, “Our priority remains protecting the data of employees, customers, and partners,” noting the compromised application’s non-critical nature.
The company has yet to confirm if the leaked data aligns with Rey’s claims but pledged compliance with legal obligations and transparency in updates.
Secondary Breach: Orange Spain’s BGP Hijacking
In a related incident, Orange Spain faced a separate cyberattack on February 25, 2025, when a hacker dubbed “Snow” hijacked its RIPE NCC account—a regional internet registry—to manipulate Border Gateway Protocol (BGP) routing and Resource Public Key Infrastructure (RPKI) configurations.
This caused a three-hour outage by invalidating IP address announcements, disrupting traffic flow.
Investigators traced the breach to an Orange employee’s corporate credentials, stolen via a September 2023 infostealer malware infection (Raccoon Stealer).
The compromised RIPE account lacked multi-factor authentication (MFA) and used the weak password “ripeadmin,” enabling Snow to alter critical network settings.
RIPE restored access and reiterated MFA enforcement advisories.
Broader Implications and Industry Concerns
The Orange breaches highlight systemic vulnerabilities in telecom infrastructure.
Rey’s Jira exploitation mirrors HellCat’s modus operandi, emphasizing the risks of unpatched software and credential mismanagement.
Meanwhile, Snow’s BGP attack underscores the fragility of internet routing protocols and the cascading impact of compromised registry accounts.
Resecurity researchers further identified 1,572 compromised RIPE, APNIC, and LACNIC credentials on dark web markets—many priced under $10—linked to info-stealer malware like Redline and Lumma.
These credentials, often from employees using personal email services (e.g., Gmail), enable threat actors to hijack network configurations or sell access to ransomware groups.
Conclusion: A Call for Enhanced Cyber Hygiene
Orange’s dual breaches illustrate the multifaceted threats facing telecom operators.
While outdated data in the Romania leak reduced immediate harm, the exposure of source code and contracts risks long-term reputational and operational damage.
The Spain incident demonstrates how single points of failure—weak passwords, absent MFA—can destabilize critical internet infrastructure.
Organizations must prioritize patch management, enforce MFA for all privileged accounts, and monitor for credential leaks via dark web scanning.
As HellCat and similar groups refine their tactics, proactive defense remains the cornerstone of cybersecurity resilience.
Also Read:
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=Orange%20confirmed%20the%20breach%20originated%20from%20a%20%E2%80%9Cnon-critical%20back-office%20application%E2%80%9D%20in%20its%20Romanian%20branch,%20emphasizing%20no%20disruption%20to%20customer%20operations.){kind=link}