Orange Business Services hit by Nefilim ransomware operators

Security researchers at Cyble reported that Nefilim ransomware operators allegedly targeted the mobile network operator Orange.

Researchers from Cyble came across a post of Nefilim ransomware operators which were claiming to have stolen sensitive data of Orange S.A., one of the largest mobile networks based in France.

The discovery was made by the experts during their regular Deepweb and Darkweb monitoring activity.

Orange S.A. is a French multinational telecommunications corporation founded in 1988. The telco operator has 266 million customers worldwide and employs 89,000 people in France, and 59,000 abroad. The company is currently the tenth-largest mobile network operator in the world and the fourth largest in Europe.

According to Cyble, the hackers claim to have compromised the Orange Business Solutions, a subsidiary of Orange S.A,. and have published a portion of the sensitive data as proof of the attack.

Orange confirmed to BleepingComputer that the Orange Business Services division was victim of a ransomware attack on the night of Saturday, July 4th, 2020, into July 5th. The gang gained access to twenty Orange Pro/SME customers’ data.

“A cryptovirus-type computer attack was detected by Orange teams during the night of Saturday 04 July to Sunday 05 July 2020. Orange teams were immediately mobilised to identify the origin of this attack and has put in place all necessary solutions required to ensure the security of our systems.” reads a statement issued by Orange.

“According to an initial analysis by security experts, this attack has concerned data hosted on one of our Neocles IT platforms, “Le Forfait Informatique”, and no other service has been affected”. it adds.

“However, this attack seems to have allowed hackers to access the data of around 20 PRO / SME customers hosted on the platform. Affected customers have already been informed by Orange teams and Orange continues to monitor and investigate this breach. Orange apologises for the inconvenience caused”.

Orange’s “Le Forfait Informatique” is a software platform that allows enterprise customers to host virtual workstations in the cloud while Orange Business Services provides IT support for them.

Nefilim ransomware operators leaked a 339MB archive file titled ‘Orange_leak_part1.rar’ that contained data that was allegedly stolen by the hackers.

The Cyble research team analyzed the data leaked by the Nefilim ransomware operators consisting of various sensitive and corporate operational documents of Aero Technique Espace (ATE), a well-established French aircraft painting company that had been acquired by Air works.

The data also includes data sample documents of Avions de transport regional (ATR), a Franco-Italian aircraft manufacturer based in France.

“The leaked documents related to ATE seem to include checklists reports before the presentation of aviation planes, observation of technical faults reports, aviation painting reports, and much more.” reads the post published by Cyble.

“The leaked documents related to ATR seem to include multiple aircraft architecture designs, email conversations, transfer of responsibility documents, and much more.”

Nefilim ransomware operators claim that both ATE and ATR have a business relationship with Orange Business Services.

The ransomware gang is now threatening the company of releasing the stolen data if it will not pay the ransom.

Orange has immediately notified the customers of the security breach.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Nefilim ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]