The Babuk ransomware group has claimed responsibility for a significant intrusion at French telecommunications giant Orange, posting a 6.44GB data sample that researchers at Cybernews have reviewed and assessed as potentially credible. The leaked archive contains thousands of internal documents, employee identifiers, and references to sensitive customer information spanning Orange operations.
What Happened
Babuk, a cybercrime ring known for targeting major enterprises, published claims of a massive breach affecting Orange and supplied a 6.44GB sample as proof. Cybernews researchers who examined the archive concluded the threat actor's claims appear credible based on the structure, depth, and specificity of the contents. The sample includes thousands of internal Orange documents, project tracking artifacts, and personal data of employees and partners. While Orange has not publicly confirmed the breach, the volume and granularity of the leaked material, including references to internal Jira project structures tied to the Orange.ro domain, increase the likelihood the data is genuine.
"The leaked data presents serious risks to both employees and the organization, exposing sensitive personal and corporate information that could lead to identity theft, targeted attacks, and further exploitation by malicious actors," said Neringa Macijauskaitė, Information Security Researcher at Cybernews.
What Was Taken
The 6.44GB sample contains two primary folder structures of concern. An "issues" folder includes 235 files detailing tasks tied to system configuration, monitoring setup, user management, and feature development, exposing operational tradecraft and infrastructure context. A "Files" folder holds approximately 8,600 internal documents whose filenames suggest customer conversations, financial records including balances, invoices, conversion rates, and additional employee and client information.
Employee data in the leak includes names, usernames, email addresses, and time zones, along with references to Jira projects tied to Orange.ro. A separate file labeled "pii_extracted" contains email addresses from the orange.com, tremend.com/ro, and publicissapien.com domains alongside phone numbers, indicating the breach footprint extends to Orange's contractors and partner organizations.
Why It Matters
Orange is one of Europe's largest telecommunications operators, and a breach of internal project management systems represents a significant intelligence loss. Jira repositories typically contain bug reports, infrastructure descriptions, credentials in ticket comments, and architectural details that adversaries can weaponize for follow-on attacks. The presence of partner-domain email addresses (tremend.com/ro, publicissapien.com) raises supply chain concerns: contractors with access to Orange systems are now prime targets for spear-phishing and account takeover attempts.
Telecom providers occupy a uniquely sensitive position in critical infrastructure, holding subscriber metadata, billing information, and routing intelligence. Even partial exposure of internal documentation gives ransomware affiliates and nation-state actors a roadmap for deeper intrusions, including SS7-adjacent abuse, SIM swap fraud campaigns, and lawful intercept reconnaissance.
The Attack Technique
Babuk has not publicly disclosed the initial access vector, and Orange has not issued a confirmation or technical detail. The compromise of Jira project content suggests the attacker either obtained valid credentials to a project management instance or pivoted from a developer or contractor workstation. Historically, Babuk-affiliated actors and successor groups have leveraged exposed VPN portals, stolen credentials sold on initial access broker markets, and exploitation of public-facing applications to gain footholds in enterprise environments.
The exfiltration of structured ticketing data and a curated "pii_extracted" file indicates the attacker spent time inside the environment performing data discovery before staging the leak, consistent with the double-extortion playbook that defines the modern Babuk lineage.
What Organizations Should Do
- Audit external-facing collaboration platforms (Jira, Confluence, GitLab) for exposed instances, weak authentication, and stale accounts; enforce SSO and phishing-resistant MFA.
- Rotate credentials and API tokens stored in or referenced by ticket systems, and scan ticket bodies and attachments for embedded secrets.
- Treat contractor and partner email domains as high-risk for the next 60-90 days; deploy enhanced phishing detection and warn recipients of orange.com correspondence.
- Hunt for indicators of unauthorized access to internal documentation repositories, focusing on bulk download patterns and anomalous service account activity.
- Validate that incident response runbooks address exfiltration of structured project data, not just file shares and databases.
- For Orange customers and partners: monitor for targeted social engineering referencing real internal project names or ticket IDs, which would indicate adversary use of the leaked context.