A ransomware group known as RansomHouse seems to have been chargeable for an assault on Cell C that compromised the information of a few of its purchasers, TechCentral has established.
The cell operator mentioned on Wednesday that it had been impacted by a “cybersecurity incident” that affected “elements” of its IT setting – and that some buyer knowledge had been uncovered.
Cell C supplied little details about the incident, besides to say that its preliminary findings from an ongoing investigation recommended that “knowledge associated to a restricted variety of people could have been accessed by an unauthorised celebration”.
It didn’t say what number of clients had been impacted, what knowledge sorts had been concerned and even when the incident occurred.
Nevertheless, cybersecurity and telecommunications analysis firm TFI, which has investigated the incident utilizing out there public info – together with knowledge on the darkish internet – decided that Cell C was possible the sufferer of an assault by RansomHouse. It discovered that about 2TB of knowledge was “stolen” by the attackers.
In keeping with SentinelOne, an info safety specialist, RansomHouse emerged in March 2022 and is categorised as a “multi-pronged extortion risk”.
“The attackers exfiltrate all engaging knowledge and threaten to submit all of it publicly,” based on SentinelOne, which added that the group is “noticed to simply accept fee in bitcoin solely”.
Phishing assaults
In keeping with TFI’s analysis – shared solely with TechCentral – the incident at Cell C appeared to comply with a number of phishing assaults in 2023 that culminated in a ransomware demand in April 2024.
“It seems the ransom was both ignored or a choice was made by Cell C to not interact with the unhealthy actor, which led to the general public launch of exfiltrated knowledge on 28 December 2024,” it mentioned.
Its discovering recommended the next:
- The preliminary vector of assault concerned refined phishing e-mails all through 2023 that allowed unauthorised events to accumulate the credentials of Cell C staff.
- Subsequent proof from the logs substantiates that the phishing marketing campaign instantly facilitated additional infiltration.
- On 11 April 2024, the attackers issued a ransom demand after exfiltrating delicate knowledge.
- Cell C opted to not meet the ransom requirement or ignored the demand.
- The attackers responded on 28 December 2024 by publishing stolen info on the darkish internet.
- The uncovered knowledge contained credentials for a variety of techniques, together with each inside companies and exterior portals, which seem from logs on the darkish internet to incorporate Cell C’s fibre-to-the-home (FTTH) buyer operations.
An evaluation by TFI of the compromised info posted to the darkish internet suggests the entry to Cell C’s techniques could have allowed the perpetrators to govern crucial techniques related to FTTH ordering and provisioning to end-user clients.
Learn: Ruthless ransomware gangs bleeding small firms dry
“The affect on FTTH clients is of concern as attackers with unauthorised entry to portals comparable to MetroFibre, Openserve and Vumatel (all fibre community operators) might doubtlessly purchase private info, manipulate service orders and compromise billing data,” based on TFI’s findings.
Cell C, in e-mailed reply to questions from TechCentral, refuted a number of of those findings, however emphasised that its investigation is ongoing.
“We are able to verify that the risk actors concerned on this incident have recognized themselves as RansomHouse,” the corporate mentioned. “Nevertheless, we’ve no extra verified info concerning their id at present. Our forensic specialists are persevering with their work to collect additional particulars as a part of the investigation.”
Cell C mentioned, nonetheless, that’s has “no proof” to assist the assertion that its techniques had been first compromised in 2023 by means of phishing e-mails or that the attackers used info gleaned by means of phishing assaults to entry its company techniques.
Learn: How a lot South African companies pay ransomware gangs
It additionally mentioned there isn’t any proof to assist a declare {that a} ransomware assault passed off in April 2024 due to the alleged phishing assaults within the earlier yr.
It mentioned it could discover no proof of a ransom being demanded in or round April 2024. – © 2025 NewsCentral Media
Get breaking information from TechCentral on WhatsApp. Join right here.