Cyber Incident Victim: Confederación Sindical de Comisiones Obreras
Date:
Feb 2025
Location:
Spain
Summary
The Confederación Sindical de Comisiones Obreras experienced a significant cyberattack compromising approximately 570 GB of sensitive data across departments including personnel, finance, legal affairs, collective bargaining, and international operations. The intrusion, attributed to the ransomware group Hunters International, exposed nearly 690,000 files through sophisticated encryption techniques and involved prior data exfiltration to enable double extortion tactics. The attackers likely initiated the breach via targeted phishing campaigns to deploy malware, leveraging their history of targeting critical sectors like healthcare and logistics. This incident followed a prior cyberattack that disrupted the organization's website, though critical systems reportedly remained unaffected during the latest event. The group's operational methods increase pressure on victims by threatening dark web data leaks even if backups exist, potentially impacting both the union's employees and affiliated workers. Response efforts included system remediation, incident investigation, and regulatory breach notifications.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On February 1, 2025, the Confederación Sindical de Comisiones Obreras (CCOO) disclosed a significant cyberattack compromising approximately 570 GB of sensitive organizational data across more than a dozen departments. The breach exposed roughly 690,000 files containing information from critical operational areas, including human resources, finance, legal affairs, collective bargaining, industrial policy and strategy, international relations, equality initiatives, data protection, and agricultural sectors. Hunters International, a cybercriminal group suspected to operate from Nigeria, claimed responsibility for the intrusion. The attackers had publicly announced their intent to target the union one week prior to executing the breach, following a pattern of deploying ransomware coupled with data exfiltration tactics. According to cybersecurity analyses from the Basque Cyber Zaintza agency, Hunters International employs sophisticated multi-algorithm encryption systems and systematically steals data before encrypting victims' networks. This dual approach enables continued extortion through threats to leak or sell stolen information on the dark web, even if organizations restore systems from backups.
The attack disrupted operations for CCOO's approximately 700 employees and posed risks to unionized workers whose data might have been compromised. This incident followed a previous November 2023 cyberattack that temporarily disabled CCOO's website. On February 26, 2025, CCOO activated its cybersecurity incident response teams to contain the breach, initiating system cleansing procedures and forensic investigations to determine full impact scope. The union confirmed no critical systems were compromised and maintained normalized IT operations throughout the response. As a precautionary measure, CCOO notified relevant authorities of the data breach in compliance with regulatory obligations, reserving the right to provide additional updates as investigations progressed. Cyber Zaintza's threat intelligence reports linked Hunters International to targeted phishing campaigns delivering malware initial access vectors, noting the group's expanding global focus on healthcare, education, logistics, and other critical infrastructure sectors to maximize extortion leverage. The agency emphasized the group's operational sophistication in adapting attack methodologies to bypass conventional security defenses.