Information stealer malware allowed threat actors to compromise the credentials of multiple Telefonica employees and access the telecommunication giant’s internal ticketing system.

The data breach came to light last week, after members of the Hellcat ransomware group (which previously claimed the attack on Schneider Electric) boasted on the BreachForums cybercrime forum about stealing customer data, ticket data, and thousands of files from the Spain-based telecom company.

The incident, cybersecurity firm Hudson Rock says, was “facilitated by a combination of infostealer malware and sophisticated social engineering techniques”.

The attackers told Hudson Rock that they used custom infostealer malware to compromise the credentials of more than 15 Telefonica employees and access the company’s Jira platform.

After gaining access to the platform, the attackers reportedly targeted two employees that held administrative privileges, “tricking them into revealing the correct server for brute-forcing SSH access”.

The attackers stole a list containing 24,000 Telefonica employee emails and names, 500,000 summaries of internal Jira issues, and 5,000 internal documents, including internal email communications and various documents.

The stolen information potentially exposes Telefonica employees to phishing and other types of social engineering attacks, and may expose operational details, security weaknesses within the company’s infrastructure, strategic plans, and other sensitive internal details.

According to Hudson Rock, 531 employee computers within Telefonica’s network were infected with infostealers last year, each potentially exposing corporate credentials. Furthermore, it appears that the company did not enforce strong password policies for corporate infrastructure.

“For the URL linked to the initial access, the passwords were even weaker, indicating that it wouldn’t have taken an infostealer infection for hackers to brute force their way in,” the cybersecurity firm says.

In other instances of infostealer infections, Telefonica employees’ credentials for third-party systems such as Fortinet, Office 365, and Salesforce were also compromised.

“These infections provide hackers with the necessary credentials to infiltrate systems and, as demonstrated in this case, can be leveraged to expand access further through sophisticated social engineering tactics. Infostealers serve as a stepping stone for more advanced attacks, making them a significant concern for organizations worldwide,” Hudson Rock notes.

Responding to a SecurityWeek inquiry, Telefonica confirmed the incident, but did not share further information on the potentially compromised information. 

“We have become aware of an unauthorized access to an internal ticketing system which we use at Telefónica. We continue to investigate the extent of the incident but can confirm that Telefónica´s residential customers have not been affected. From the very beginning, we have taken the necessary steps to block any unauthorized access to the system,” Telefonica said.

A multinational telecommunications firm headquartered in Madrid, Spain, Telefonica operates in a dozen countries around the world under multiple brands, including Movistar, O2, Telefonica, Telxius, and Vivo.

Related: Banshee macOS Malware Expands Targeting

Related: Houdini Malware Returns and Amazon’s Sidewalk Enters Corporate Networks

Related: Crimeware Risk Underestimated, Chronicle Finds

Related: Windows App Caught Running on Mac, Installing Malware