Alleged Full Infrastructure Compromise of National Oil Ethiopia With 800GB ERP Database Exfiltration, Veeam and Kaspersky Compromise, and Ransomware Deployment

Summary

Threat actor ByteToBreach claims a complete infrastructure takeover of National Oil Ethiopia (NOC), exfiltrating over 800GB of data including a 500GB ERP database containing client records, contracts, salaries, and PII. The attack chain progressed through eight steps: Exchange ProxyLogon exploitation, lateral movement via Metasploit and Ligolo, credential harvesting, Active Directory compromise, database exfiltration, Veeam backup destruction, Kaspersky security bypass, and ransomware deployment. The actor emphasizes operational sophistication and the targeting of backup and security infrastructure to prevent recovery.

Full text

Dark Web Informer - Cyber Threat Intelligence Alleged Full Infrastructure Compromise of National Oil Ethiopia With 800GB ERP Database Exfiltration, Veeam and Kaspersky Compromise, and Ransomware Deployment March 24, 2026 - 1:54:50 PM UTC Ethiopia Oil & Gas / Government Standalone API Access Now Available High-volume threat-intelligence data, automated ingestion endpoints, ransomware feeds, IOC data, and more. View API Unlock Exclusive Cyber Threat Intelligence Powered by DarkWebInformer.com Stay ahead of cyber threats with real-time breach tracking, expert analysis, and high quality evidence - built for security professionals, researchers, journalists, and everyday people who take their privacy seriously. Subscribe Now Quick Facts Date & Time 2026-03-24 13:54:50 UTC Threat Actor ByteToBreach Victim National Oil Ethiopia (NOC) Industry Oil & Gas / Government Category Ransomware / Data Breach Data Size 800+ GB (ERP: 500 GB) Databases 4 Initial Access Exchange ProxyLogon Severity Critical Ransomware Deployed Network Open Web Country Ethiopia Incident Overview A threat actor going by ByteToBreach claims to have fully compromised the infrastructure of National Oil Ethiopia PLC (NOC), Ethiopia's state-owned oil company. This is not a simple database dump. The actor describes a complete infrastructure takeover that progressed through 8 distinct steps, culminating in ransomware deployment. The listing includes a detailed technical narrative of the intrusion, which is unusual for forum posts and suggests the actor wants to demonstrate credibility and operational sophistication. The actor outlines the following attack chain: Step 1: Initial Foothold: Gained entry through a basic Exchange ProxyLogon exploit. The actor notes there weren't many vulnerabilities to exploit beyond this entry point. Step 2: Pivot: Moved laterally from the compromised Exchange server into the internal network. The actor used a Metasploit reverse shell and ran Ligolo as a background process on an internal host for tunneling, noting this made things faster and lighter than relying on traditional C2 infrastructure. Step 3: Credential Gathering: Harvested credentials from internal systems. Step 4: Full AD Admin: Achieved full Active Directory administrator access, giving complete control over the domain environment. Step 5: Database Access: Accessed and exfiltrated four databases totaling over 800GB of data. The main ERP database alone contained 500GB, with the remaining data generated from application logs. Step 6: Veeam Compromise: Compromised the Veeam backup infrastructure, likely to destroy or encrypt backups and prevent recovery. Step 7: Kaspersky Compromise: Compromised the Kaspersky security solution, disabling or bypassing endpoint protection across the environment. Step 8: Ransomware: Deployed ransomware across the infrastructure. The exfiltrated data allegedly includes client records, contracts, salaries, PII, email addresses, physical addresses, and all operational business data for both clients and employees. The actor emphasizes that the intrusion relied more on knowing where to look and when to act than on exploiting numerous vulnerabilities. Backup links and contact information via Signal, Session, Telegram, email, X, and a website are provided. The actor prefers communication via Session or Signal. Compromised Data Categories ERP Database (500 GB) Client Records Employee Records Contracts Salary Data Personal Identifiable Information Email Addresses Physical Addresses Operational Business Data Application Logs Active Directory Credentials Veeam Backup Infrastructure Kaspersky Security Console Image Preview Claim URL Subscriber Access Required The original listing URL and unredacted claim images are available on the Threat Feed and Ransomware Feed for paid subscribers. Subscribe Subscriber Access View the original listing URL and unredacted claim images on the feeds below. Threat Feed Ransomware Feed MITRE ATT&CK Mapping T1190 Exploit Public-Facing Application Exploited a Microsoft Exchange ProxyLogon vulnerability to gain initial foothold into the target's infrastructure and establish a presence on the mail server. T1021 Remote Services Pivoted from the compromised Exchange server into the internal network using Ligolo tunneling and Metasploit reverse shells to move laterally across systems. T1003 OS Credential Dumping Gathered credentials from internal systems, escalating privileges until achieving full Active Directory administrator access and complete domain control. T1562.001 Impair Defenses: Disable or Modify Tools Compromised the Kaspersky security console to disable or bypass endpoint protection across the environment before deploying ransomware. T1490 Inhibit System Recovery Compromised the Veeam backup infrastructure to prevent disaster recovery, ensuring ransomware impact cannot be easily reversed through backup restoration. T1486 Data Encrypted for Impact Deployed ransomware across the infrastructure as the final step of the attack chain, encrypting systems after data exfiltration and backup destruction were complete. T1005 Data from Local System Exfiltrated four databases totaling 800+ GB including the main 500GB ERP database containing client records, contracts, salaries, PII, and all operational business data. T1572 Protocol Tunneling Used Ligolo as a tunneling tool running as a background process on an internal host to maintain persistent access and route traffic through the compromised network. Dark Web Informer © 2026 | Cyber Threat IntelligenceDarkWebInformer.com

Indicators of Compromise

• mitre_attack — T1190
• mitre_attack — T1021
• mitre_attack — T1003
• mitre_attack — T1562.001
• mitre_attack — T1490
• mitre_attack — T1486
• mitre_attack — T1005
• mitre_attack — T1572
• malware — ByteToBreach