Cyber Incident Victim: Corporación Nacional de Telecomunicación
Date:
Jul 2021
Location:
Ecuador
Summary
The state-run telecommunications company in Ecuador suffered a ransomware attack by the RansomEXX group, disrupting customer support, payment systems, and business operations. While the organization asserted that corporate and client data remained secure, the attackers claimed possession of 190 GB of stolen information, including contracts and support logs, threatening public release unless a ransom was paid. The incident involved unauthorized network access leading to data exfiltration and system encryption, consistent with the group's history of targeting large entities through methods like compromised credentials or brute-force attacks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around July 15-16, 2021, Ecuador's state-owned telecommunications provider Corporación Nacional de Telecomunicación (CNT) suffered a ransomware attack that disrupted business operations, online payment systems, and customer support channels. The company’s website displayed an alert confirming the cyberattack on July 16, 2021, stating it had filed a criminal complaint with Ecuador’s State Attorney General’s Office for the "crime of attack on computer systems." CNT assured customers that services including calls, internet, and television continued operating normally despite the disruption to Integrated Service Centers and Contact Center operations. The organization explicitly stated no customer services would be suspended for non-payment due to the incident and claimed both corporate and customer data remained protected.
The ransomware group RansomEXX claimed responsibility for the attack, privately threatening to leak 190GB of stolen data unless CNT paid a ransom. Security researcher Germán Fernández provided BleepingComputer with access to RansomEXX’s non-public data leak page, which contained screenshots of allegedly stolen documents including contact lists, contracts, and support logs—contradicting CNT’s assertions about data security. RansomEXX’s operational tactics involved network infiltration through purchased credentials, brute-forced RDP servers, or exploits, followed by lateral movement, data exfiltration, and deployment of ransomware after obtaining administrative access. The group utilized a Linux variant to encrypt critical servers and virtual machines. This attack aligned with RansomEXX’s pattern of high-profile targets, which previously included Brazil’s government networks, Texas Department of Transportation, and Konica Minolta. CNT did not publicly confirm ransomware involvement or disclose any ransom negotiations, containment measures, or recovery actions beyond its initial statement. The incident caused sustained disruptions to customer-facing operations while exposing discrepancies between official claims of data protection and threat actors’ demonstrated access to internal documents.