The Hellcat ransomware group this week claimed responsibility for cyberattacks on Swiss telecommunications provider Ascom and British multinational car manufacturer Jaguar Land Rover (JLR).
The attack on Ascom occurred on March 16, and the group added the company to its Tor-based leak site on the same day. The telecoms company confirmed the next day that the attack targeted its technical ticketing system.
“The Ascom IT Cybersecurity Team is investigating the incident and immediately closed the ticketing system. Determining the extent of the attack is part of the ongoing investigation,” the company said.
Ascom said it notified the relevant authorities and underlined that no other IT systems or customer systems were impacted and that its business operations were not affected.
Hellcat claimed to have stolen 44 gigabytes of sensitive data from the company, including contracts, documents, development tools, and source code.
At the same time, Hellcat claimed the theft of hundreds of gigabytes of data from JLR, a subsidiary of Indian multinational corporation Tata Motors.
At least two threat actors affiliated with the group said that stolen credentials for Atlassian Jira were used to access the company’s systems, cybersecurity firm Hudson Rock reports.
Infostealers were reportedly used to siphon the credentials from LG Electronics employees who had access to JLR’s Jira server, and one of the threat actors said in a forum thread that the exfiltrated credentials dated back to 2021.
Hudson Rock points out that Hellcat is known for employing credentials exfiltrated using infostealers, which are often shared or sold on the dark web among cybercriminals. Intrusions at Schneider Electric and Telefonica were perpetrated using stolen credentials.
“What sets the JLR breach apart is the age of the compromised credentials. Hudson Rock, which has tracked infostealer infections since at least 2018, had previously identified the employee’s stolen login details as part of its vast database of exposed credentials. Despite their age, the credentials remained valid and unchanged,” Hudson Rock notes.
JLR has yet to confirm the cyberattack. SecurityWeek has emailed the company several times for a statement on the hackers’ claims but received no response by the time of publishing.
Related: LockBit Ransomware Developer Extradited to US
Related: 500,000 Impacted by Pennsylvania Teachers Union Data Breach
Related: Infosys to Pay $17.5 Million in Settlement Over 2023 Data Breach
Related: PowerSchool Portal Compromised Months Before Massive Data Breach
