HellCat ransomware targeting Jira servers

What Happened?

On March 20, 2025, global hacking group HellCat launched a widespread ransomware attack specifically targeting Jira servers. Notably, the Swiss telecommunications provider Ascom confirmed a cyberattack on its technical ticketing system, with the attackers stealing sensitive data, including source code, confidential documents, invoices, and project details.

‍

Attack Methodology

‍HellCat ransomware operators exploit compromised Jira credentials, often collected via infostealer malware infecting employees' devices. The group has consistently leveraged these credentials to gain unauthorized access to Jira project management systems, allowing them to exfiltrate sensitive data, escalate privileges, and move laterally within targeted networks.

‍

Affected Companies

‍Confirmed victims of HellCat’s Jira attacks include:

• Ascom
• Schneider Electric
• Telefónica
• Orange Group
• Jaguar Land Rover (JLR)
• Affinitiv

‍

Recommended Actions

• Credential Management: Regularly rotate Jira credentials and implement multi-factor authentication (MFA) to reduce risks associated with compromised accounts. Detect and alert on password reuse.
• Monitor for Breaches: Employ advanced monitoring and detection tools specifically targeting anomalous Jira activity, including unauthorized access or privilege escalation.
• Endpoint Protection: Implement endpoint protection to prevent credential-stealing malware infections.
• Incident Response Planning: Establish incident response plans to contain and remediate incidents involving compromised environments.