A ransomware group called RansomHouse appears to have been responsible for an attack on Cell C that compromised the data of some of its clients, TechCentral has established.
The mobile operator said on Wednesday that it had been impacted by a “cybersecurity incident” that affected “parts” of its IT environment – and that some customer data had been exposed.
Cell C provided little information about the incident, except to say that its initial findings from an ongoing investigation suggested that “data related to a limited number of individuals may have been accessed by an unauthorised party”.
It did not say how many customers were impacted, what data types were involved or even when the incident happened.
However, cybersecurity and telecommunications research company TFI, which has investigated the incident using available public information – including data on the dark web – determined that Cell C was likely the victim of an attack by RansomHouse. It found that about 2TB of data was “stolen” by the attackers.
According to SentinelOne, an information security specialist, RansomHouse emerged in March 2022 and is categorised as a “multi-pronged extortion threat”.
“The attackers exfiltrate all enticing data and threaten to post it all publicly,” according to SentinelOne, which added that the group is “observed to accept payment in bitcoin only”.
Phishing attacks
According to TFI’s research – shared exclusively with TechCentral – the incident at Cell C appeared to follow several phishing attacks in 2023 that culminated in a ransomware demand in April 2024.
“It appears the ransom was either ignored or a decision was made by Cell C not to engage with the bad actor, which led to the public release of exfiltrated data on 28 December 2024,” it said.
Its finding suggested the following:
- The initial vector of attack involved sophisticated phishing e-mails throughout 2023 that allowed unauthorised parties to acquire the credentials of Cell C employees.
- Subsequent evidence from the logs substantiates that the phishing campaign directly facilitated further infiltration.
- On 11 April 2024, the attackers issued a ransom demand after exfiltrating sensitive data.
- Cell C opted not to meet the ransom requirement or ignored the demand.
- The attackers responded on 28 December 2024 by publishing stolen information on the dark web.
- The exposed data contained credentials for a wide range of systems, including both internal services and external portals, which appear from logs on the dark web to include Cell C’s fibre-to-the-home (FTTH) customer operations.
An analysis by TFI of the compromised information posted to the dark web suggests the access to Cell C’s systems may have allowed the perpetrators to manipulate critical systems associated with FTTH ordering and provisioning to end-user customers.
Read: Ruthless ransomware gangs bleeding small companies dry
“The impact on FTTH customers is of concern as attackers with unauthorised access to portals such as MetroFibre, Openserve and Vumatel (all fibre network operators) could potentially acquire personal information, manipulate service orders and compromise billing records,” according to TFI’s findings. TechCentral has asked all three fibre providers for their comment.
Cell C, in e-mailed reply to questions from TechCentral, refuted several of TFI’s findings, but emphasised that its investigation is ongoing.
“We can confirm that the threat actors involved in this incident have identified themselves as RansomHouse,” the company said. “However, we have no additional verified information regarding their identity currently. Our forensic experts are continuing their work to gather further details as part of the investigation.”
Cell C said, however, that is has “no evidence” to support the assertion that its systems were first compromised in 2023 through phishing e-mails or that the attackers used information gleaned through phishing attacks to access its corporate systems.
Read: How much South African firms pay ransomware gangs
It also said there is no evidence to support a claim that a ransomware attack took place in April 2024 because of the alleged phishing attacks in the previous year.
It said it can find no evidence of a ransom being demanded in or around April 2024. – © 2025 NewsCentral Media
Get breaking news from TechCentral on WhatsApp. Sign up here.