Skip to content
Support
Sign In Subscribe
Data Breaches

Alleged Full Infrastructure Compromise of National Oil Ethiopia With 800GB ERP Database Exfiltration, Veeam and Kaspersky Compromise, and Ransomware Deployment

 and  Dark Web Informer
10 min read
Dark Web Informer - Cyber Threat Intelligence

Alleged Full Infrastructure Compromise of National Oil Ethiopia With 800GB ERP Database Exfiltration, Veeam and Kaspersky Compromise, and Ransomware Deployment

March 24, 2026 - 1:54:50 PM UTC
Ethiopia
Oil & Gas / Government
Standalone API Access Now Available High-volume threat-intelligence data, automated ingestion endpoints, ransomware feeds, IOC data, and more.
View API
Unlock Exclusive Cyber Threat Intelligence
Powered by DarkWebInformer.com
Stay ahead of cyber threats with real-time breach tracking, expert analysis, and high quality evidence - built for security professionals, researchers, journalists, and everyday people who take their privacy seriously.
Subscribe Now

Quick Facts

Date & Time 2026-03-24 13:54:50 UTC
Threat Actor ByteToBreach
Victim National Oil Ethiopia (NOC)
Industry Oil & Gas / Government
Category Ransomware / Data Breach
Data Size 800+ GB (ERP: 500 GB)
Databases 4
Initial Access Exchange ProxyLogon
Severity Critical
Ransomware Deployed
Network Open Web
Country Ethiopia

Incident Overview

A threat actor going by ByteToBreach claims to have fully compromised the infrastructure of National Oil Ethiopia PLC (NOC), Ethiopia's state-owned oil company. This is not a simple database dump. The actor describes a complete infrastructure takeover that progressed through 8 distinct steps, culminating in ransomware deployment. The listing includes a detailed technical narrative of the intrusion, which is unusual for forum posts and suggests the actor wants to demonstrate credibility and operational sophistication.


The actor outlines the following attack chain:

  • Step 1: Initial Foothold: Gained entry through a basic Exchange ProxyLogon exploit. The actor notes there weren't many vulnerabilities to exploit beyond this entry point.
  • Step 2: Pivot: Moved laterally from the compromised Exchange server into the internal network. The actor used a Metasploit reverse shell and ran Ligolo as a background process on an internal host for tunneling, noting this made things faster and lighter than relying on traditional C2 infrastructure.
  • Step 3: Credential Gathering: Harvested credentials from internal systems.
  • Step 4: Full AD Admin: Achieved full Active Directory administrator access, giving complete control over the domain environment.
  • Step 5: Database Access: Accessed and exfiltrated four databases totaling over 800GB of data. The main ERP database alone contained 500GB, with the remaining data generated from application logs.
  • Step 6: Veeam Compromise: Compromised the Veeam backup infrastructure, likely to destroy or encrypt backups and prevent recovery.
  • Step 7: Kaspersky Compromise: Compromised the Kaspersky security solution, disabling or bypassing endpoint protection across the environment.
  • Step 8: Ransomware: Deployed ransomware across the infrastructure.

The exfiltrated data allegedly includes client records, contracts, salaries, PII, email addresses, physical addresses, and all operational business data for both clients and employees. The actor emphasizes that the intrusion relied more on knowing where to look and when to act than on exploiting numerous vulnerabilities. Backup links and contact information via Signal, Session, Telegram, email, X, and a website are provided. The actor prefers communication via Session or Signal.

Compromised Data Categories

ERP Database (500 GB) Client Records Employee Records Contracts Salary Data Personal Identifiable Information Email Addresses Physical Addresses Operational Business Data Application Logs Active Directory Credentials Veeam Backup Infrastructure Kaspersky Security Console

Image Preview

Forum post by ByteToBreach detailing full infrastructure compromise of National Oil Ethiopia with 8-step attack chain, 800GB database exfiltration, and ransomware deployment

Claim URL

Subscriber Access Required The original listing URL and unredacted claim images are available on the Threat Feed and Ransomware Feed for paid subscribers.
Subscribe
Subscriber Access View the original listing URL and unredacted claim images on the feeds below.
Threat Feed Ransomware Feed

MITRE ATT&CK Mapping

T1190 Exploit Public-Facing Application
Exploited a Microsoft Exchange ProxyLogon vulnerability to gain initial foothold into the target's infrastructure and establish a presence on the mail server.
T1021 Remote Services
Pivoted from the compromised Exchange server into the internal network using Ligolo tunneling and Metasploit reverse shells to move laterally across systems.
T1003 OS Credential Dumping
Gathered credentials from internal systems, escalating privileges until achieving full Active Directory administrator access and complete domain control.
T1562.001 Impair Defenses: Disable or Modify Tools
Compromised the Kaspersky security console to disable or bypass endpoint protection across the environment before deploying ransomware.
T1490 Inhibit System Recovery
Compromised the Veeam backup infrastructure to prevent disaster recovery, ensuring ransomware impact cannot be easily reversed through backup restoration.
T1486 Data Encrypted for Impact
Deployed ransomware across the infrastructure as the final step of the attack chain, encrypting systems after data exfiltration and backup destruction were complete.
T1005 Data from Local System
Exfiltrated four databases totaling 800+ GB including the main 500GB ERP database containing client records, contracts, salaries, PII, and all operational business data.
T1572 Protocol Tunneling
Used Ligolo as a tunneling tool running as a background process on an internal host to maintain persistent access and route traffic through the compromised network.

Dark Web Informer © 2026 | Cyber Threat Intelligence
DarkWebInformer.com

Related

Latest