So I’ve been scrolling through my LinkedIn feed and saw a post by SaxX, where he’s sharing a discovery about a threat actor selling domain admin access to one of the French IT service providers!
Since I love these kinds of topics, I decided to give it a try and started my own little OSINT to see if I could identify the target company!
First of all, the picture appears to come from XSS.is, a well-known Russian forum.
I won’t be focusing on the user who shared the leak because I don’t care about them, but I will only try to identify the target company.
One thing to know about XSS.is is that it is a Russian forum, so users basically speak Russian. Of course, not always, since there are hackers from all over the world there, but most of the time hackers attack other countries’ infrastructures and stay away from their own countries. This has many reasons, first because it’s their own country, but second because they may get caught easily.
Based on this theory, I will assume that this threat actor is not from France, doesn’t speak French, and has no exact information about the target but only researched them after getting access to evaluate how much this access can be worth.
A simple search on the internet for IT service providers in France gives us this result:
Here is a list of some prominent IT service providers in France:
Groupe Cyllene: Specializes in digital transformation and IT infrastructure management, including private and public cloud services. Partners include VMware, Amazon, Cisco, and Dell.
Groupe ACESI: Offers services in IT infrastructure, systems, and networks, emphasizing technical excellence. Key partners include VMware, Citrix, and Dell.
Mismo: Provides comprehensive solutions for IT management, infrastructure, and hardware, supporting around 3,000 businesses.
Absys Services: Focuses on client-centric IT solutions, with expertise in system assembly and managed services. Partners with Veeam, EMC², and Fortinet.
Provectio: Delivers managed IT services and guarantees the proper functioning of clients’ information systems. Collaborates with VMware, Veeam, and Sophos.
Actuelburo: Covers various IT and telecommunication services, including cloud and hyperconvergence solutions. Partners with Veeam, Microsoft, and HPE.
AURAneXt: Provides telecommunications and IT integration for SMEs, specializing in modern network solutions and cloud maintenance.
Novenci: Recognized for IT outsourcing and technical expertise, partnering with VMware, IBM, and Huawei.
AntemetA: Offers solutions for data management, storage, and backup, partnering with Zerto, Brocade, and Cisco.
PARTNER Informatique: Has over 30 years of experience in delivering reliable and durable IT solutions. Partners include VMware, Veeam, and Sage.
Let’s keep in mind that the threat actor provided this information:
ZoomInfo Available: The company’s revenue is $18 million.
For the curious ones, ZoomInfo Technologies Inc. is a software and data company that provides data for companies and business individuals. Their main product is a commercial search engine specialized in contact and business information.
By searching all these companies on ZoomInfo and comparing their revenues with what the hacker mentioned, none of them matched the $18 million exactly, but one of them was close to it:
ACESI Groupe with $14 million
Honestly, this means nothing, so I tried checking Google directly without any specialized software. All the companies were far from matching the $18 million, but guess what:
ACESI Group matches exactly the $18 million result from Google, but this still means nothing definitive. So, what else can we do to confirm our research or rule it out?
Basically, hacking groups and ransomware owners often use known vector attacks for initial access, and many of them also use leaked credentials resulting from infostealers.
Using some CTI knowledge, I found that ACESI Group already has some leaked accounts, which may have been the entry point for the attacker.
This is all I was able to find based on the public information shared. The OSINT was done using only publicly accessible tools without touching any assets of any company.
Even with these indicators, we can’t confirm anything. It’s only my curiosity driving this investigation. It’s a matter of time before the confirmed information becomes available.
