On November 4, 2024, the newly emerged Hellcat ransomware group claimed responsibility for breaching Schneider Electric's internal Atlassian Jira project-tracking platform and demanded a $125,000 ransom in cryptocurrency — initially advertised, for tabloid attention, as payable in baguettes. The intrusion was Schneider Electric's third publicly disclosed incident in less than two years, following the February 2024 Cactus ransomware compromise of its Sustainability Business division and the June 2023 CL0P exploitation of MOVEit Transfer that swept up Schneider as one of thousands of downstream victims. The Hellcat case is notable for two reasons. First, it confirms that infostealer-harvested credentials remain a dominant initial-access vector in 2024. Second, it reframes the Atlassian Jira project tracker as a high-value data target rather than a routine engineering tool — a lesson with implications for every enterprise that has ever pasted credentials into a ticket. The combination of engineering-issue content and a 400,000-row user directory makes Jira an unusually high-yield single target for credential-theft and follow-on phishing operations.
Who is Hellcat and how did they get in?
Hellcat is a ransomware-as-a-service brand that emerged in October 2024 with a leak site hosted on the Tor network and an extortion model focused on smaller dollar-value demands aimed at fast turnover. The group's affiliates publicly named Schneider Electric, Telefonica's research-and-development environment, and several other industrial victims through late 2024 and early 2025. The initial-access vector for the Schneider Electric Jira compromise was identified by Hudson Rock researchers analysing infostealer logs sold on Russian Market: a Schneider Electric employee's workstation was infected with Lumma Stealer on October 13, 2024, harvesting plaintext browser-stored credentials including a session token and login for Schneider's internal Atlassian Jira instance. The attacker logged into Jira with the stolen credentials, then used the MiniOrange REST API plugin endpoint to bulk-scrape user records and project metadata.
What did the attackers actually access?
Hellcat published claims of 40 GB of compressed data exfiltrated from the Jira instance, including approximately 400,000 user records, 75,000 unique email addresses associated with Schneider Electric employees and customers, project metadata, issue content, attachments, and plugin configuration. The category that mattered most was issue content: engineering tickets routinely contain debugging output, configuration snippets, credentials pasted by harried engineers, and references to internal infrastructure that an attacker can leverage for follow-on intrusion. The 75,000 unique email addresses also represent a high-quality phishing target list for the next campaign. Schneider Electric confirmed unauthorised access to a project-execution tracking platform hosted in what it described as an isolated environment, and said operations and customer-facing products were not affected.
How long were they inside?
The Hudson Rock infostealer timestamp dates the employee infection to October 13, 2024. The Jira compromise was disclosed on November 4, 2024 — a window of approximately three weeks between credential theft and ransomware extortion. The Hellcat affiliate did not deploy ransomware encryption inside Schneider's environment; the extortion model relied on data theft and public leak-site pressure rather than on encryption-as-a-service. The successor data publication, after Schneider Electric publicly refused the $125,000 demand, occurred in mid-November 2024 with portions of the dataset posted on the Hellcat leak site. The relatively small ransom demand reflected Hellcat's positioning as a high-volume affiliate brand rather than a top-tier extortion operator, and the public stunt of demanding baguettes appeared calculated to maximise media coverage at minimal operational cost.
What did existing controls miss?
Three failures shaped the outcome. First, the infected employee's workstation either lacked an EDR product or the EDR did not detect Lumma Stealer's drop-and-execute behaviour; Lumma is one of the best-documented commodity infostealers of 2024 and is in every major EDR's detection corpus. Second, browser-stored credentials remained unrotated long enough for the attacker to log in three weeks later, indicating no automated credential-rotation workflow tied to known-bad infostealer logs sold on Russian Market. Third, the Jira instance itself permitted bulk REST API extraction via MiniOrange without rate limiting, anomaly detection, or session-binding that would have made a 400,000-row pull visible. The combination produced a low-effort, high-payoff outcome for Hellcat.
# Atlassian Jira hardening baseline against infostealer credential theft
atlassian_jira_hardening:
authentication:
sso_only: required
saml_with_step_up_mfa: required
api_tokens_short_lived: true
legacy_password_login_disabled: true
session_management:
session_lifetime_hours_max: 8
ip_binding_for_admin_sessions: required
impossible_travel_alert: high
data_handling:
secrets_in_issue_content_dlp_scan: required
attachment_credential_scan: required
automatic_credential_redaction_in_logs: required
api_rate_limits:
per_user_per_minute: 60
bulk_export_requires_admin_approval: true
bulk_user_directory_query_alert_threshold: 100
infostealer_response:
russian_market_log_monitoring_subscription: required
infected_employee_credential_rotation_sla_hours: 4
forced_re_authentication_after_workstation_reimage: required
What should defenders do now?
Six steps. First, subscribe to infostealer-log monitoring services (Hudson Rock, SpyCloud, Flare) and integrate them with your identity provider so that an employee's appearance in a Russian Market log triggers automatic credential rotation within hours, not weeks. Second, harden Atlassian Jira, ServiceNow, GitHub Enterprise, and every other engineering-collaboration SaaS the same way you harden your identity provider — SSO only, MFA enforcement at the IDP layer, no local logins, no long-lived API tokens. Third, scan issue content and attachments for credentials using a DLP product that understands the corpus of secret formats; many secrets in Jira are pasted in stack-traces and config snippets that pre-commit hooks would have caught at the source-code layer. Fourth, rate-limit bulk REST API extraction and require admin approval for any download exceeding a threshold of project rows. Fifth, exercise an infostealer tabletop with the SOC, simulating the discovery of three employee workstations in a Russian Market log dump on a Friday evening. Sixth, push EDR coverage to 100 percent across all corporate endpoints — including contractor laptops — because the Schneider Electric case turned on a single missed Lumma infection.
How does Schneider Electric's Jira case compare to other 2024 infostealer-driven breaches?
Infostealer-harvested credentials drove a long list of 2024 and 2025 incidents. The Snowflake customer-cluster compromise that ultimately implicated AT&T, Ticketmaster, Santander Bank, LendingTree, and Advance Auto Parts began with infostealer logs sold on Russian Market and Genesis Market. The Disney internal-Slack leak in mid-2024 traced back to an infostealer infection on a contributor's home device. Hellcat affiliates' subsequent claimed breaches at Telefonica research and several smaller industrial victims followed the same Lumma-stealer pattern as the Schneider Electric Jira intrusion. The category lesson is consistent: long-lived credentials stored in browsers, unrotated SSO sessions, and SaaS endpoints that lack hardware-bound or IP-bound session controls compose a soft target. Independent research from Mandiant, IBM X-Force, and Hudson Rock through 2024 estimated that more than half of significant intrusions over the year originated in infostealer-harvested credentials. The corollary is that infostealer-log monitoring services, browser-credential storage policy, and IP-binding for sensitive sessions are the highest-leverage 2026 investments for organisations that have not already made them.
How Safeguard Helps
Safeguard inventories every SaaS engineering platform — Atlassian Jira, GitHub Enterprise, GitLab, ServiceNow, Confluence — and continuously cross-references each against vendor advisories, CISA KEV, and known infostealer-log corpora. Griffin AI reachability analysis surfaces which Jira instances permit bulk REST API extraction without rate limiting, which API tokens are long-lived versus short-lived, and which issues contain credential material that should be rotated and redacted. TPRM workflows score Atlassian, GitHub, and ServiceNow against contractual breach-notification SLAs, and continuously verify that customer-side configuration matches the vendor's recommended hardening baseline. Policy gates block deployments that paste credentials into ticket descriptions or pull requests, and ingest Hudson Rock, SpyCloud, and Flare infostealer feeds so that an employee appearing in a Lumma log dump triggers credential rotation across every SaaS platform within hours — not the three weeks that Hellcat used at Schneider Electric.