Threat Actors Allegedly Claim Access to Nokia’s Internal Network

A threat actor, Tsar0Byte, allegedly claimed to have breached the company’s internal network through a vulnerable third-party link, exposing sensitive data belonging to more than 94,500 employees.

The alleged breach, reported on dark web forums including DarkForums, represents one of the most extensive corporate data exposures affecting Nokia in recent years. According to the threat actor’s claims, the compromised data includes a comprehensive internal directory containing:

• Full employee names and contact details
• Corporate email addresses and phone numbers
• Department information and job titles
• LinkedIn profile traces and internal references
• Internal documents and partner-side logs
• Employee identification numbers and corporate hierarchies

The breach appears to have occurred through the exploitation of a third-party contractor’s systems that had direct access to Nokia’s internal infrastructure for tool development purposes. This method of attack through supply chain vulnerabilities has become increasingly common among cybercriminals targeting major corporations.

Allegedly Claim to Nokia Internal Systems

Cybersecurity researchers analyzing the incident suggest that Tsar0Byte gained initial access through poorly secured contractor systems, potentially exploiting default credentials or misconfigured access controls.

The attack methodology mirrors previous incidents where threat actors have successfully penetrated corporate networks by targeting less secure third-party vendors who maintain privileged access to primary systems.

These technical assets represent a significant security risk, as they could provide attackers with the means to maintain persistent access or launch additional attacks against Nokia’s infrastructure.

This incident follows a pattern of high-profile data breaches affecting major technology companies in 2024 and 2025. Nokia has previously faced cybersecurity challenges, including a separate breach in November 2024 where the threat actor IntelBroker claimed to have stolen source code and credentials from a third-party contractor.

Nokia’s cybersecurity team has acknowledged awareness of the claims and stated they are conducting a thorough investigation. The company emphasized that their preliminary findings have not identified evidence of direct compromise to their primary systems, though they continue to monitor the situation closely.

Security experts note that such incidents underscore the need for enhanced vendor security assessments, regular audits of third-party access privileges, and implementation of zero-trust security models that assume no inherent trust for any system or user.

While Nokia has not confirmed that customer data was directly affected, the exposure of internal employee information poses risks for targeted phishing campaigns and social engineering attacks against company personnel.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches