RansomHouse, the threat actor that claimed responsible for a ransomware attack on mobile operator Cell C, has “unlawfully disclosed” data stolen in the incident.
Cell C said in a statement on Wednesday that it “deeply regrets this development” and the “concern it may cause among our employees, customers, partners and stakeholders at large”. It didn’t immediately say what data has been leaked.
The company first disclosed on 8 January 2025 that it had been hit by a “cybersecurity incident” and that some customer data had been exposed.
“Initial findings from our ongoing investigation suggests that data related to a limited number of individuals may have been accessed by an unauthorised party,” it said in a statement about the incident.
Two days later, on 10 January 2025, TechCentral reported that RansomHouse, a ransomware group, had claimed responsibility for the cyberattack on Cell C.
Cybersecurity and telecommunications research company TFI, which investigated the incident using available public information – including data on the dark web – determined that Cell C was likely the victim of an attack by RansomHouse, something later confirmed by the telecoms company. It found that about 2TB of data was “stolen” by the attackers.
According to SentinelOne, an information security specialist, RansomHouse emerged in March 2022 and is categorised as a “multi-pronged extortion threat”.
Vector of attack
“The attackers exfiltrate all enticing data and threaten to post it all publicly,” according to SentinelOne, which added that the group is “observed to accept payment in bitcoin only”.
According to TFI’s research – shared exclusively with TechCentral in January – the incident at Cell C appeared to follow several phishing attacks in 2023 that culminated in a ransomware demand in April 2024.
“It appears the ransom was either ignored or a decision was made by Cell C not to engage with the bad actor, which led to the public release of exfiltrated data on 28 December 2024,” it said.
Read: Ransomware attacks: how South African companies should respond
Its finding suggested the following:
- The initial vector of attack involved sophisticated phishing e-mails throughout 2023 that allowed unauthorised parties to acquire the credentials of Cell C employees.
- Subsequent evidence from the logs substantiates that the phishing campaign directly facilitated further infiltration.
- On 11 April 2024, the attackers issued a ransom demand after exfiltrating sensitive data.
- Cell C opted not to meet the ransom requirement or ignored the demand.
- The attackers responded on 28 December 2024 by publishing stolen information on the dark web.
The exposed data contained credentials for a wide range of systems, including both internal services and external portals, which appear from logs on the dark web to include Cell C’s fibre-to-the-home (FTTH) customer operations.
An analysis by TFI of the compromised information posted to the dark web suggests the access to Cell C’s systems may have allowed the perpetrators to manipulate critical systems associated with FTTH ordering and provisioning to end-user customers.
Cell C said, however, said at the time that it had “no evidence” to support the assertion that its systems were first compromised in 2023 through phishing e-mails or that the attackers used information gleaned through phishing attacks to access its corporate systems.
It also said there was no evidence to support a claim that a ransomware attack took place in April 2024 because of the alleged phishing attacks in the previous year. It said it could find no evidence of a ransom being demanded in or around April 2024.
In its update on Wednesday, Cell C said it has “taken decisive steps to contain the threat, further secure its systems and mitigate impact”. These include:
- Engaging leading international cybersecurity and forensic experts to support containment and response.
- Notifying and cooperating with the Information Regulator and relevant authorities.
- Communicating with affected stakeholders to provide findings and guidance.
‘Anxiety’
“Cell C has engaged its experts to monitor potential misuse of the data and urges all stakeholders to remain vigilant against fraud, phishing and identity theft,” it said.
“We understand the anxiety this may cause and encourage stakeholders to apply for Protective Registration with the South African Fraud Prevention Services, a free service that alerts credit providers to take extra care when verifying your identity, helping to protect against potentially fraudulent activity.
“We continue to work closely with relevant authorities and security specialists to monitor for any further developments and to reinforce the integrity of our systems,” Cell C said. – © 2025 NewsCentral Media
Get breaking news from TechCentral on WhatsApp. Sign up here.