Cyber Incident Victim: Zurcal
Date:
Feb 2023
Location:
Spain
Summary
Stormous ransomware targeted an energy efficiency firm, Zurcal, claiming responsibility for a cyberattack and posting proof such as invoices, plans, and a tax identification number on their Telegram channel. The attackers issued a one-week response deadline, but the victim has not publicly acknowledged the incident, responded to inquiries, or confirmed any data compromise.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Zurcal incident emerged publicly on February 24, 2023, when the Stormous ransomware group claimed responsibility for an attack against Zurcal—a company operating in the energy efficiency and energy-saving sector—via their Telegram channel. Stormous posted undated images of compromised documents, including invoices and technical plans, to substantiate their claim. They issued a one-week deadline for Zurcal to respond to their demands, though the nature of these demands was not explicitly detailed in the leak post. In a follow-up communication, Stormous supplemented their initial claim with additional evidence, including one image displaying a Spanish tax identification number (NIF), suggesting the unauthorized acquisition of sensitive organizational or client data. Zurcal did not acknowledge the incident through official statements on its website or social media channels following Stormous’s announcements. The company also did not respond to private inquiries from DataBreaches seeking clarification on the breach, leaving the operational scope, data exfiltration volume, and initial attack vectors unconfirmed.
The lack of public disclosure by Zurcal left stakeholders, including clients and partners, without formal guidance on potential risks stemming from the exposure of invoices, technical plans, and tax identifiers. The incident impacted public transparency, as Stormous’s unilateral communications remained the sole source of information regarding compromised data. The release of the NIF introduced potential legal and regulatory exposure under data protection frameworks governing personally identifiable information (PII) in Spain, though no breach notifications or regulatory filings by Zurcal were documented in the source material. While financial losses, service disruptions, or data recovery efforts were not cited in Stormous’s posts or third-party reporting, the group’s aggressive publication of internal documents signaled reputational harm and a loss of control over proprietary information. Neither mitigation actions—such as system containment or data restoration—nor cooperation with law enforcement agencies were referenced, as Zurcal maintained silence throughout the reporting period.