Blogs

Orange Group Suffered Data Breach; Threat Actors Exposes Compromised Data

Threat actors aimed infiltrating on Orange’s systems; A case of Ransomware cannot be denied on the data breach that took place.

Orange has confirmed it has recently experienced a cyber-attack, that exposed compromised data. Orange insists it is still investigating the case. The data breach on Orange group when analyzed found it included thousands of internal documents, including sensitive user records and employee data, after infiltrating the company’s infrastructure.

As per reports one of Orange’s non-critical apps breached in an attack aimed at its Romanian operations after HellCat ransomware gang member “Rey” alleged exfiltrating thousands of internal files with user records and employee details, which have been leaked on Tuesday, according to BleepingComputer.

Key Breach details on Orange Group

The data breach aimed at Infiltration of Orange’s systems for more than a month via the exploitation of Jira software and internal portal vulnerabilities.
This facilitated the eventual breach and can be a ransomware case as of almost 6.5 GB of corporate data including about 12,000 files over a nearly three-hour period on Sunday.
The hacker, known by the alias Rey, is a member of the HellCat ransomware group, noted the intrusion to be independent from the HellCat ransomware operation.
The threat actor claims that they have stolen thousands of internal documents of current and former Orange Romania employee, contractor, and partner email addresses, some of which dated from over five years ago, as well as mostly expired partial payment card details.
The hacker claims that they gained access to Orange’s systems by exploiting compromised credentials and vulnerabilities in the company’s Jira software (used for issue tracking) and other internal portals.
The point was getting access to the company’s systems for over a month before executing the data exfiltration as per the hacker. They also stated that they had dropped a ransom note on the compromised system, but Orange did not engage in negotiations.
Orange emphasized that the attack has not impacted operations amid an ongoing investigation into the incident. The company is yet to disclose whether affected individuals will be notified or if additional security measures will be introduced to prevent similar breaches in the future.

Cyber Security Implications

From cybersecurity point the incident reflected how major organization face cyber threats and what is their strategy for incident response?

How far is the preparedness of enterprises against a ransomware attack?

These are some of the eminent questions organizations must face in order to defend their brand name..Is it proactive, are organizations prepared as Ransomware groups are focusing with advanced techniques.

Cyber security preparedness the next step

It is important that security teams be on their toes to stop any ransomware attack at the source.

AI on the endpoints is the requirement of the day, detecting atypical behavior to predict and block attack advances, at the same time before encryption, having visibility full visibility from the kernel to the cloud enables one to spot signs of compromise .This can also be any ransomware chain or any early indicators of compromise.

Experts keep on warning how to protect assets from getting compromised warning customers and employees to remain vigilant for potential phishing attempts based on the data that has been leaked.

AI Leveraging Ransomware campaigns

Earlier we witnessed cybercriminals would encrypt data and provide the decryption key once payment was received.

Now threats has doubled up with double or triple extortion attacks to expose stolen information on data leak sites in exchange for larger ransoms.

The greater availability of artificial intelligence and machine learning tools has led to these gangs be more sophisticated in their attack methods. Now the attack vectors leverage AI and ML capabilities to evade detection, spread more effectively to reach their final goals.

AI Reshaping Cyber security Roadmap

AI in cybersecurity firstly integrates artificial intelligence technologies that are required to gain critical insights and automate time-consuming processes and this includes machine learning and neural networks, into security frameworks.

These technologies are a must to enable cybersecurity teams and systems to analyze vast amounts of data, recognize attack patterns, and being able to adapt new evolving threats that can be performed with minimal human intervention. Read our blog: AI Reshaping Roadmap for Cyber security

With AI capabilities what is the next scenario we may witness in Ransomware campaigns

- Making ransom calls using Voice Cloning

- Malware that can target key personnel within the organization

- The ability to decipher financial data and demand ransom amounts accordingly

AI-driven systems learn from experiences and AI will empowers organizations, enterprises in future and still doing to enhance their cybersecurity posture and reduce the likelihood of breaches, identify potential risks by acting independently.

Sources:

https://www.scworld.com/brief/orange-group-hack-confirmed-following-leak-by-hellcat-ransomware-member

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Convergence of IT & OT in Manufacturing witness Increased Cyber Attacks

Increasing cyberattacks on Industry 4.0

Scalability in Quantum Computing with ‘Majorana 1’ by Microsoft

Majorana1 is Microsoft’s first quantum processor

CTI & SOC Team’s Compliment Holistic Threat Hunting

SOC & CTI Compliment each other in threat Hunting

AI Reshaping Roadmap for Cyber security

Can Gen AI Transform Organizations Cyber Posture

Users of WhatsApp Exposed to Sophisticated Spyware Attack

The recent Spyware attack on WhatsApp users is linked to Israeli surveillance firm Paragon Solutions that targets journalists, activists, and civil society members using sophisticated “zero-click” hacking methods that require no user interaction.

Attack Confirmed By Meta

Meta, the parent company of WhatsApp, has officially acknowledged the attack, stating that the messaging platform was compromised by hackers deploying spyware. Following multiple reports of breaches, Meta informed Italy’s National Cybersecurity Agency, confirming that about 90 users across 24 countries were targeted.

The spyware attack came to light when Luca Casarini, a migrant rescue activist and co-founder of Mediterranea Saving Humans, and investigative journalist Francesco Cancellato, received an alert from WhatsApp, notifying their device had been infiltrated by spyware.

What is Spyware and what makes Spyware attack special?

Spyware is one of the most commonly used cyberattack methods used by hackers and makes it difficult to trace and identify by users and does some serious harm to networks. These data are used to track, steal, and sell user data, such as internet usage, credit card, and bank account details, or steal user credentials to spoof their identities.

As per Fortinet, Spyware is malicious software that enters a user’s computer, gathers data from the device and user, and sends it to third parties without their consent. A commonly accepted spyware definition is a strand of malware designed to access and damage a device without the user’s consent.

How Zero-Click Hacking affect our Online Digital device

The Zero click hacking techniques was stunning for users which is not traceable

Unlike any other phishing attacks that require users to click on malicious links. In this method attackers infect a device without any action from the user. Such advanced tactics enable surveillance on a large scale, posing severe risks to privacy and security worldwide.

The revelation has reignited global concerns over digital espionage and unauthorized surveillance. Cybersecurity experts warn that the attack on WhatsApp underscores the vulnerabilities present in even the most widely used communication platforms. As investigations continue, users are urged to update their software regularly and remain vigilant against potential cyber threats.

Mobile spyware typically attacks mobile devices through three methods:

Flaws in operating systems: Attackers can exploit flaws in mobile operating systems that are typically opened up by holes in updates.
Malicious applications: These typically lurk within legitimate applications that users download from websites rather than app stores.
Unsecured free Wi-Fi networks: Wi-Fi networks in public places like airports and cafes are often free and simple to sign in to, which makes them a serious security risk. Attackers can use these networks to spy on what connected users are doing.

Significant Cyber threat of Spyware

The Spyware attack left users fall prey to online digital attack and question on govt. surveillance which was taken seriously by Italy.Over the years Spyware infected millions of devices, stealing sensitive information.

Some of the most devastating spyware cases helps us understand how serious this threat can be.

Pegasus — Spyware Behind Global Surveillance Scandals

Pegasus — developed by Israeli tech firm NSO Group — is the most high-profile spyware ever created. While it was originally marketed as a tool for governments to combat terrorism and criminal activities, it has become infamous for its misuse.

Reports have revealed that Pegasus has been used to monitor journalists, activists, and political figures, raising serious concerns about privacy and human rights violations. Its ability to infect devices without any user interaction makes it especially dangerous and difficult to detect.

FinSpy (FinFisher) — Government Tool for Full Device Control

FinSpy, also known as FinFisher, is a spyware tool developed by Gamma Group, a company based in Germany. Initially marketed to governments and law enforcement agencies as a way to combat crime and terrorism, FinSpy has been linked to unauthorized surveillance and there is concern about its use by oppressive regimes. The spyware is capable of targeting multiple platforms, including Windows, macOS, and Linux, making it versatile and difficult to escape.

GravityRAT — Cross-Border Espionage Targeting India

GravityRAT spyware was initially designed to target individuals in India. It’s believed to be linked to cyber espionage efforts originating from Pakistan. Its primary goal is to steal sensitive information, including files, contact lists, and user data.

GravityRAT typically spreads through phishing emails that trick users into downloading malicious attachments. Once the victim opens the file, the spyware silently installs itself, granting attackers control over the infected device.

DarkHotel — Targeting Business Travelers Through Hotel Wi-Fi

DarkHotel is a sophisticated spyware campaign that’s been active for over a decade, primarily targeting business travelers staying in luxury hotels. Discovered in 2007, this Advanced Persistent Threat (APT) has affected high-profile executives, government officials, and corporate leaders. The attackers aim to steal sensitive business information, like trade secrets and confidential documents, while victims are connected to hotel Wi-Fi networks.

Agent Tesla — Password and Keystroke Thief for Hire

Agent Tesla is technically classified as a Remote Access Trojan (RAT) and keylogger, though it has spyware-like functionalities. First discovered in 2014, Agent Tesla has gained notoriety for its ability to steal sensitive information, such as login credentials, keystrokes, and clipboard data. It can also take screenshots and extract information from email clients, web browsers, and other applications, making it a powerful tool for cybercriminals.

The Baltic Sea Ship Accident & not Sabotage; Highlights Ship Downtime Issues

Recently the undersea Fibre optic cable between Latvia and Sweden was damaged and reports said it was result of external influence which prompted NATO to deploy patrol ships to the area and triggering a sabotage investigation by Swedish authorities. Also the cargo ship Vezhen was seized as part of the probe by Sweden’s Security Service.

The incident took place on Jan. 26 and was one of several in recent months, triggered a hunt for vessels suspected of involvement.

The prosecutor said the Vezhen’s anchor severed the cable but that the incident was related to a combination of bad weather, equipment deficiencies and poor seamanship. Images shared by Swedish media showed that the ship appeared to have a damaged anchor.

The cable belongs to Latvia’s state broadcaster, LVRTC, which said in a statement there had been “disruptions in data transmission services”, but that end users would be mostly unaffected.

A second vessel, the Silver Dania, a Norwegian cargo ship with an all-Russian crew, was seized in Norway at the request of Latvian authorities but was cleared of wrongdoing and released. Baltic Sea region is on high alert after a string of power cable, telecom link, and gas pipeline outages since Russia invaded Ukraine in 2022.

We cannot deny the scope of Hybrid attack in the Baltic region that targeted critical undersea infrastructure (CUI), particularly fiber-optic cables, in the Baltic and Arctic regions since 2021. Mostly the prime suspect was Russia, but in this case the Vezhen ship was suspected to have incurred an accident and not sabotage, a Swedish prosecutor said on Monday, adding that the Maltese-flagged vessel had been released.

Ship downtime a major issue the marine industry faces

What is ship downtime and how does it affect?

Any breakdown in service during operation or runtime amounts to downtime in maritime industry.

Sometimes downtimes are unpredictable and unplanned which makes it harder as it incurs expenses to deal with. Repairs, emergency parts, and dry-docking fees can add up fast.

Importance of Data analytics:

This is where predictive maintenance and data analytics come into picture making it possible to provide an overview on what is pending task regarding maintenance of ship or other issues that needs immediate inspection. This can also be cyber security related issue or hybrid attacks targeting critical undersea infrastructure (CUI), particularly fiber-optic cables, have surged in the Baltic and Arctic regions.

The Baltic sea ship broke down due to combination of bad weather and and deficiencies in equipment and seamanship contributed to the cable break,” as per reports by investigators

Whether it’s an engine breakdown, a port delay, or a sudden maintenance issue, every hour of downtime costs money. And there are times when this hurts the most because you don’t see it coming and affecting profitability, delivery and supply chain disruptions.

Crew Issues – Fatigue-related mistakes or medical emergencies that delay voyages.

Mechanical Failures – Think engine breakdowns, generator issues, and propulsion failures.

Electrical Problems – A failed control system or communication outage.

Other problems falls under planned downtime

Routine Maintenance – Regular engine inspections, oil changes, and system checks.
Mandatory Surveys – Required ship inspections and certifications from regulatory authorities (like IMO).
Retrofits & Upgrades – Adding fuel-saving devices, ballast water treatment systems, or new tech.

Rise of Hybrid Attack on undersea cables in Baltic Sea and artic region

Since 2021 Russian hybrid attacks targeting critical undersea infrastructure (CUI), particularly fiber-optic cables, have surged in the Baltic and Arctic regions since 2021 causing disruptions threatening essential communication channels, exposing vulnerabilities of Northern Europe’s infrastructure.

More incidents were noticed in 2023 and 2024 involving Chinese vessels damaging Baltic subsea cables raise concerns over possible Russian-Chinese hybrid warfare collaboration despite no direct evidence confirming this, complicating Western deterrence efforts. (https://jamestown.org/program/hybrid-attacks-rise-on-undersea-cables-in-baltic-and-arctic-regions/)

Financial Implications

Any disruption of events that causes downtime in shipping such as piracy, bad weather and accidents blocking major shipping lanes causes major financial losses on global economy. Attacks such as cyber-attacks are growing with each passing day and quite predominant on risk landscape like the maritime industry, forcing organizations account of in its operations and work on legacy technologies replacing them with advanced technology systems to counter any attacks or sabotage or foul play.

Companies that have proven their ability to manage these risks and remain agile for recovery are more likely to secure favorable finance options.

Innovations in Maritime industry

Maritime transport is seen key player in global trade and the intricacies of networks of shipping
routes, ports, forced globalization to strengthened their operation strategies for the world economy to grow surpassing numerous challenges. Innovations is high on demand for safety systems form part of the ongoing development where digital based systems are part of ships in current scenario. E.g. the Intelligent awareness (IA) systems will be nex- gen of digital technologies to provide safety net for smooth operation of ships on transit that include utilizing sensors, high-resolution displays, and intelligent software.

Maritime chokepoints are critical points in shipping routes.as they facilitate substantial trade volumes and connect the world. Due to disruptions and very limited routes that are valid for ship passages there are negative impacts on supply chains, leading to systemic consequences, affecting food security, energy supply and whole of the global economy.

Sources: https://www.reuters.com/world/europe/baltic-undersea-cable-damaged-by-external-influence-sunday-latvian-broadcaster-2025-01-26/

www.shipuniverse.com

Complexities Compounding in Cyber Landscape; WEF Global Cybersecurity Outlook 2025 Analysis

WEF Global Cybersecurity Outlook 2025

New Regulations & Directives to Boost Cyber Defense; DORA & NIS2

DORA & NIS2
EU Regulations to Strengthen Cyber defense

Codefinger Ransomware attack encrypts Amazon S3 buckets

Ransomware crew dubbed Codefinger targets AWS S3 buckets
Sets data-destruct timer for 7 days
Threat actors demand for Ransom payment made for the symmetric AES-256 keys required to decrypt it

Amazon S3 buckets encrypted using AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) and somehow the threat actors knew details of the keys. And this made them demand ransoms to demand the decryption key.

The campaign was discovered by Halcyon , and according to them the threat actors after exploiting the compromised keys, they called the “x-amz-server-side-encryption-customer-algorithm” header and use a locally stored AES-256 encryption key they generate to lock up the victims’ files. There is great chance that more cyber criminal groups can adopt the tactic and use.

The threat actor looks for keys with permissions to write and read S3 objects (s3:GetObject and s3:PutObject requests), and then launches the encryption process by calling the SSE-C algorithm, utilizing a locally generated and stored AES-256 encryption key.

“It is important to note that this attack does not require the exploitation of any AWS vulnerability but instead relies on the threat actor first obtaining an AWS customer’s account credentials,” Halcyon notes.

According to Halcyon, because the attack relies on AWS’s infrastructure for encryption, it is impossible to recover the encrypted data without the symmetric AES-256 keys required to decrypt it. Halcyon reported its findings to Amazon, and the cloud services provider told them that they do their best to promptly notify customers who have had their keys exposed so they can take immediate action.

In recent month hackers and cyber criminal have gained traction In recent months and have begun targeting their product gateways and find ways to extort customers using it.

Unlike traditional ransomware that encrypts files locally, this attack operates directly within the AWS environment, exploiting the inherent security of SSE-C to render data irretrievable without the attacker’s decryption keys says Halcyon team.

Ransomware capabilities gain new tactics where the threat actor first obtains an AWS customer’s account credentials and there is no know method that data can be recovered without paying the ransom.

As per AWS they encourage customers to utilize their security tools, such as IAM roles, Identity Center and Secrets Manager, to minimize credential exposure and improve defense postures.