HellCat's Jira Exploitation Campaign Claims Another Victim
The HellCat ransomware group has breached Ascom, a Swiss enterprise communications and technology provider, by exploiting Jira credentials harvested through infostealer malware. The group claims to have exfiltrated approximately 44GB of sensitive enterprise data — including source code, project details, contracts, invoices, and confidential documents — from Ascom's technical ticketing infrastructure.
This breach is part of HellCat's broader campaign targeting Atlassian Jira servers worldwide, which has previously claimed victims including Schneider Electric, Telefonica, Orange Group, and Jaguar Land Rover (JLR). The group, which emerged as a Ransomware-as-a-Service (RaaS) operation in Q4 2024, has rapidly established itself as a significant enterprise threat by specializing in a specific and repeatable attack chain: stolen Jira credentials obtained from infostealer infections.
Breach Details
| Attribute | Value |
|---|---|
| Victim | Ascom Holding AG (Swiss enterprise communications) |
| Threat Actor | HellCat (Ransomware-as-a-Service group) |
| Data Exfiltrated | ~44GB |
| Data Types | Source code, project details, contracts, invoices, confidential documents, ticketing system issues |
| Initial Access | Jira credentials harvested via infostealer malware |
| Target System | Atlassian Jira (technical ticketing infrastructure) |
| HellCat Emergence | Q4 2024 |
| Other Notable Victims | Schneider Electric, Telefonica, Orange Group, Jaguar Land Rover |
| Ascom Statement | Ticketing system compromised; no impact on business operations |
How the Attack Worked
Phase 1: Credential Harvesting via Infostealers
HellCat's signature technique begins outside the target organization:
- Infostealer malware (such as Lumma, RedLine, or Raccoon) infects employee personal or corporate devices through phishing, malvertising, or trojanized software
- The infostealer harvests saved credentials from browsers, password managers, and system credential stores
- Among the stolen credentials are Atlassian Jira login details — usernames and passwords for the organization's project management platform
- These credentials are sold on dark web marketplaces or used directly by HellCat operators
Phase 2: Jira Access and Lateral Movement
With valid Jira credentials in hand:
- HellCat operators authenticate to the target's Jira instance — often accessible via the internet
- From within Jira, the attackers gain access to:
- Source code repositories linked to Jira projects
- Internal project documentation and technical specifications
- Contracts, invoices, and financial documents attached to tickets
- Employee information from ticket assignments and comments
- The attackers escalate privileges where possible, moving from Jira to adjacent systems
- Data exfiltration occurs over an extended period — in Ascom's case, totaling 44GB
Phase 3: Extortion
Following data exfiltration:
- HellCat publicly claims the breach on their leak site and in direct communications
- The group threatens to publish the stolen data unless a ransom is paid
- Victims face pressure from regulatory exposure, competitive intelligence loss, and reputational damage
What Was Stolen
The 44GB of exfiltrated data reportedly includes:
| Data Category | Description |
|---|---|
| Source code | Code for multiple Ascom products |
| Project documentation | Internal project details, specifications, and roadmaps |
| Contracts | Business agreements and partnership documents |
| Invoices | Financial records and billing information |
| Confidential documents | Internal communications and proprietary information |
| Jira tickets | Issue tracker data including technical discussions and attachments |
Impact Assessment
| Impact Area | Description |
|---|---|
| Intellectual property theft | Source code exfiltration exposes proprietary technology and potential vulnerabilities |
| Competitive intelligence | Project roadmaps and contracts reveal strategic business information |
| Supply chain risk | Ascom's enterprise customers may be indirectly exposed through leaked integration details |
| Regulatory exposure | Swiss and EU data protection regulations may apply to exfiltrated personal data |
| Customer confidence | Enterprise clients relying on Ascom's communication solutions face trust concerns |
| Broader Jira campaign | Demonstrates HellCat's repeatable attack chain works at enterprise scale |
HellCat: An Emerging RaaS Threat
HellCat has rapidly grown since its emergence in late 2024, distinguishing itself through a focused attack methodology targeting Atlassian Jira:
| Date | Victim | Data Claimed |
|---|---|---|
| Late 2024 | Schneider Electric | 40GB+ of project data via Jira |
| Early 2025 | Telefonica | Internal ticketing and project data |
| Q1 2025 | Orange Group | Corporate data via Jira credentials |
| Q1 2025 | Jaguar Land Rover (JLR) | Internal documents and source code |
| 2026 | Ascom | 44GB including source code and contracts |
The group's specialization in Jira-focused attacks using infostealer-harvested credentials makes them particularly effective because:
- Jira is ubiquitous in enterprise environments for project management and ticketing
- Credentials harvested by infostealers bypass traditional perimeter defenses
- Jira instances often contain highly sensitive data (source code, architecture docs, customer details)
- Many organizations do not enforce MFA on Jira access, especially for internal-facing instances
Ascom's Response
Ascom has confirmed the breach and released a public statement:
"The hackers compromised our technical ticketing system. The incident had no impact on the company's business operations, and customers and partners do not need to take any preventive action."
The company is working with incident response teams to assess the full scope of the breach and has notified relevant authorities.
Recommendations
For IT Administrators
- Enforce MFA on all Atlassian Jira instances — This is the single most effective defense against credential-based attacks
- Restrict Jira access to VPN or internal networks — Do not expose Jira directly to the internet
- Audit Jira permissions — Apply least-privilege access to projects, repositories, and attachments
- Monitor for credential leaks — Subscribe to breach notification services and scan dark web marketplaces for leaked employee credentials
- Review Jira access logs — Look for unusual login patterns, geographic anomalies, or bulk data access
For Security Teams
- Deploy infostealer detection — Monitor endpoints for known infostealer families (Lumma, RedLine, Raccoon, Vidar)
- Implement credential monitoring — Use services that detect when employee credentials appear on dark web forums
- Audit Jira data classification — Identify and restrict sensitive data (source code, contracts, PII) stored in Jira
- Enable session controls — Implement session timeout and IP-based access restrictions for Jira
- Prepare for HellCat TTPs — The group's Jira-focused attack chain is well-documented and repeatable
- Review third-party integrations — Ensure Jira plugins and integrations do not expose additional attack surface
Key Takeaways
- HellCat breached Ascom via infostealer-harvested Jira credentials, exfiltrating 44GB of sensitive data
- Stolen data includes source code, contracts, and invoices — representing significant IP and business intelligence loss
- HellCat specializes in Jira-targeted attacks — Schneider Electric, Telefonica, Orange, and JLR were previous victims
- Infostealer-to-Jira is a repeatable attack chain — Credentials stolen from employee devices bypass perimeter defenses
- MFA on Jira is essential — Most HellCat attacks succeed because Jira instances lack multi-factor authentication
- Jira contains far more sensitive data than most organizations realize — Source code, architecture docs, and customer details are commonly stored in project tickets
Sources
- BleepingComputer — HellCat Hackers Go on a Worldwide Jira Hacking Spree
- SecurityWeek — Ransomware Group Claims Attacks on Ascom, Jaguar Land Rover
- Cybersecurity News — HellCat Ransomware Group Hacked Ascom Technical Ticketing System
- SC Media — Global Jira Targeting Conducted by HellCat as Ascom Confirms Breach