In a growing spree of targeted cyberattacks, the HELLCAT threat group has breached at least six organizations in just five months by exploiting exposed Jira credentials. Victims include high-profile enterprises like Telefonica, Orange Group, and Jaguar Land Rover (JLR). In the JLR case alone, attackers exfiltrated and leaked over 700 internal documents, including source code, development logs, tracking data, and sensitive employee information.
These weren’t isolated incidents. HELLCAT followed a consistent playbook: targeting Jira for its central role in enterprise operations and its integration into broader ecosystems. The platform often holds architectural plans, API keys, internal communications, and workflow data. Sounds like a goldmine for attackers.
Stolen credentials are the culprit in the cloud
So, what made these attacks possible? It was stolen credentials harvested by infostealer malware, often from external third parties. In one case, Jira credentials belonging to an LG Electronics employee still granted access to JLR’s Jira instance—years after the initial compromise. Those credentials had been exposed for years yet remained valid.
This isn’t a corner case. Credentials compromised – for example in old infostealer campaigns – are still readily available on the dark web. And as long as they work, attackers will continue using them. Many organizations don’t consider these risks in their security plans. This is the case especially when the credentials belong to external users like partners, contractors, or vendors.
The lesson is clear: in cloud environments, access doesn’t end at the walls of your organization.
Breached Jira credentials: The Salesforce parallel
From the attacker’s point of view, Jira is not unique. Salesforce mirrors Jira closely:
- Vast amounts of sensitive data – customer records, contracts, invoices, case files, product roadmaps
- Extensive third-party access – via customer portals, partner users, and even agent automation.
- Central to workflows – tightly integrated with other platforms through APIs and automation, even more than Jira
- Credential risk blind spots – these are ticking time bombs especially for community users and partners outside core IT controls
Salesforce is targeted more and more by sophisticated cyber attacks
Just like Jira, Salesforce is increasingly targeted. Many companies still don’t enforce MFA across all user types. Infostealer dumps are often loaded with credentials tied to cloud accounts, including Salesforce user accounts, which may go unmonitored or unchanged for years. Identity compromise is practically invisible to traditional security layers – until it’s too late.
The HELLCAT breaches aren’t just a Jira credential risk. They’re a SaaS ecosystem wake-up call.
WithSecure helps mitigate identity risks on Salesforce
Salesforce isn’t just a business app or CRM anymore – it’s an infrastructure and a backbone to critical commercial operations. Without proper visibility into identity risk and real-time file and URL-based threats, the door is wide open.
WithSecure Cloud Protection for Salesforce provides:
- Real-time threat scanning of all files and URLs inside Salesforce
- Blocking of phishing links that direct to credential harvesting sites – even when hidden inside files or behind QR codes
- Stopping files that hide malware and ransomware, including infostealers and never-before-seen zero-day threats
- [COMING SOON!] Credential compromise detection to identify at-risk users
Switch roles from an administrator to Salesforce defender
Salesforce customers need to think like defenders, not just administrators. You should treat Salesforce like the critical platform it is. Understand who’s accessing it.
And don’t assume that credentials leaked five years ago aren’t still being exploited today.
Soon, we can help you monitor for credential compromises – especially among external users with our upcoming Identity Protection capabilities.
Trusted by highly regulated Fortune 500 enterprises globally, WithSecure Cloud Protection for Salesforce delivers scalable, quick-to-deploy Salesforce native protection. No added complexity, hindrance to your operations, or impact on your custom workflows. Just award-winning detection capabilities delivered in real-time.
Curious about the upcoming Identity Protection feature? Contact us from the form below.