Cyber Incident Victim: Orange SA
Date:
Jul 2020
Location:
France
Summary
Orange experienced a ransomware attack targeting its Business Services division, compromising data from approximately twenty enterprise customers. The Nefilim ransomware group breached the 'Le Forfait Informatique' platform, stealing and subsequently leaking sensitive information including emails and proprietary documents such as aircraft schematics from client ATR. The telecommunications company confirmed the incident, initiated security measures, and notified affected customers. This breach underscores the increasing trend of ransomware operators exfiltrating unencrypted files to coerce payments, effectively transforming such attacks into data breaches.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On the night of July 4, 2020, extending into July 5, Orange detected a ransomware attack targeting its Orange Business Services division, specifically the 'Le Forfait Informatique' platform. This platform provided enterprise customers with cloud-hosted virtual workstations and outsourced IT support services. The attackers, identified as operators of the Nefilim ransomware, breached Orange’s systems and subsequently accessed data belonging to twenty Pro/SME customers. On July 15, 2020, Nefilim operators publicly listed Orange on their data leak site, claiming responsibility for the intrusion and publishing a 339MB archive titled 'Orange_leak_part1.rar'. Analysis by researchers linked to the Ransom Leaks Twitter account revealed the archive contained emails, airplane schematics, and files from ATR Aircraft, a French manufacturer, suggesting ATR was among the affected customers. Orange confirmed the attack compromised only the 'Le Forfait Informatique' platform, with no other services impacted, and stated affected customers had been notified. The company mobilized security teams immediately upon detection to investigate the attack’s origin and implement measures to secure their systems.
The incident exposed sensitive business data, though Orange did not disclose specific details beyond confirming the compromise of twenty enterprise customers. ATR Aircraft, whose data appeared in the leaked archive, denied experiencing a direct ransomware attack but did not clarify its connection to the Orange breach. Orange issued a public statement acknowledging the attack, apologizing for disruptions, and emphasizing ongoing monitoring and investigation. The attackers leveraged stolen unencrypted files as part of their ransomware operation, reflecting a broader trend where data theft precedes encryption to pressure victims into paying ransoms. While Orange’s transparency in notifying customers was noted, the breach underscored risks to employees and clients of affected enterprises whose personal or proprietary information could be disseminated. The company’s response focused on containment and customer communication, with no mention of ransom payments or further operational disruptions beyond the initial data exposure.