France, Indonesia Hit Hard as 92 Critical Exposures Surface
Summary
Today's threat landscape is defined by a high volume of targeted, opportunistic attacks against France and Indonesia, with a notable concentration of activity from a handful of prolific actors. The 92 critical data exposure events signal a broad, indiscriminate campaign against government, education, and retail sectors, while a specific ransomware incident in Mexico's automotive industry underscores the persistent risk from established ransomware groups. Defenders should prioritize monitoring for credential-based intrusions and data exfiltration, particularly in French and Southeast Asian markets.
Today's developments
The most striking pattern today is the intense focus on French entities, with at least 26 events recorded. A cluster of actors, including xMetah, 0xSec, misere, and efraim, have allegedly breached multiple high-profile targets. xMetah claims to have compromised the French e-learning platform Ornikar, while misere alleges breaches of the French Ministry of National Education and the sports police portal Sportpolice.fr. The actor 0xSec claims to have hit real estate firms Nestenn and ACOPA Immobilier Marcadet, and efraim alleges a breach of the French Table Tennis Federation involving 110,000 individuals. The retail sector is also under fire, with claims against King Jouet France and the e-commerce platform ManoMano.
- Actor xMetah also claims a breach of the French pharmacy aggregator pulsy.fr, allegedly affecting 5.6 million records.
- Actor temp991 claims to have obtained 100,000 IBAN numbers from La Banque Postale.
- Actor Saturne alleges breaches of the Hellfest music festival and the i-Run sports retailer, with the latter reportedly affecting 1.2 million users.
Indonesia is the second most targeted country, with 31 events, largely driven by actors like KNOK666X and BABAYO EROR SYSTEM. KNOK666X claims breaches of the West Kalimantan government and a data leak from West Java. The transportation and logistics firm SAI Indonesia is also allegedly compromised by the group DR4K7H CYBER TEAM.
In the Americas, the INC RANSOM group has allegedly struck the Mexican automotive manufacturer JK Tornel S.A. de C.V., marking a significant ransomware incident in the industrial sector. The United States saw a range of claims, including a breach of a Dental RCM SaaS provider allegedly affecting over 900,000 records, and a claim by ModernStealer targeting DARPA. A separate claim by iProfessor alleges the exposure of 176 GB of data belonging to a U.S. doctor.
Threat landscape signals
The data reveals a highly fragmented threat actor ecosystem, with the top five actors -- Zod, Marketing Webshell, Hax.or, BABAYO EROR SYSTEM, and BARZXPLOIT -- accounting for only 58 of the 213 total events. This suggests a low barrier to entry and a proliferation of smaller, opportunistic groups. The concentration of attacks on France and Indonesia is notable and may indicate regional hacktivist campaigns or the exploitation of specific, unpatched vulnerabilities in common platforms used in those countries.
The presence of multiple claims against government and education entities in France, Thailand, and Honduras points to a sustained interest in public sector data. The alleged breach of the Federal Intelligence Service in Germany by the group We are Cardinal is particularly concerning, though unverified. The sale of access keys for four Shopify stores and the alleged sale of a Zalando Australia customer database highlight the ongoing monetization of e-commerce data. Defenders should treat all claims as credible until proven otherwise and prioritize incident verification, especially for entities in the retail, government, and healthcare sectors.