Cybercriminals are trying to extort executives with data allegedly stolen through Oracle tool

Hackers possibly connected to a prominent Russian ransomware gang are attempting to extort corporate executives by threatening to leak sensitive information they claim was stolen through a popular tool made by Oracle. 

Incident responders at Mandiant and Google Threat Intelligence Group (GTIG) released a warning about the campaign on Wednesday evening, telling Recorded Future News in an email that they are tracking a campaign launched by a threat actor potentially linked to Clop — a gang that previously made a name for itself with high-profile data thefts involving file transfer tools. 

The latest campaign, according to the incident responders, involves data the hackers said was stolen through the Oracle E-Business Suite, a widely used business platform containing several applications that manage a company’s finance, human resources and supply chain functions.  

Genevieve Stark, a senior cybercrime investigator at GTIG, said the team believes the campaign started on September 29 but is still in the early stages of multiple investigations. 

The threat actors have sent extortion emails to executives at “numerous organizations,” but Mandiant would not share how many companies have been impacted or what kind of information might have been stolen. Oracle did not respond to requests for comment. 

Mandiant and GTIG “are actively tracking recent activity involving an actor claiming affiliation with the Clop extortion group,” said Charles Carmakal, CTO of Mandiant, later referring to the group by its cybersecurity industry name FIN11.

“We are currently observing a high-volume email campaign being launched from hundreds of compromised accounts and our initial analysis confirms that at least one of these accounts has been previously associated with activity from FIN11, a long-running financially motivated threat group known for deploying ransomware and engaging in extortion.”

GTIG cybersecurity expert Austin Larsen added that the contact addresses provided in the extortion notes — [email protected] and [email protected] — are the same ones publicly listed on the official Clop data leak site. Mandiant explained that it has not yet substantiated the claims made by the group. 

Carmakal warned that the hackers may simply be leveraging Clop’s name to scare victims into paying ransoms and that Mandiant “does not currently have sufficient evidence to definitively assess the veracity of these claims.”

Clop has earned hundreds of millions of dollars by exploiting unreported vulnerabilities in popular file transfer tools from Cleo, MOVEit, GoAnywhere and Accellion. 

In each of the attacks, the group typically focuses on stealing data held in the file transfer software and selling that for a ransom as opposed to the typical attempt to shut down or damage an organization’s devices or systems. 

The most recent Clop campaign against MOVEit had global implications, impacting several U.S. federal departments, governments and Fortune 500 companies. 

Cybersecurity firm Emsisoft estimated that 2,773 organizations were impacted by the attacks on MOVEit, and the records of nearly 96 million people were exposed and stolen by the group behind the exploitation. 

Clop is estimated to have earned anywhere from $75 million to $100 million just from ransoms during the MOVEit campaign.

Earlier this year, Oracle told customers of a January incident where hackers stole information and accessed client credentials held on legacy Oracle systems. 

The Cybersecurity and Infrastructure Security Agency (CISA) eventually warned that while the scope of the incident remained unconfirmed, the “nature of the reported activity presents potential risk to organizations and individuals, particularly where credential material may be exposed, reused across separate, unaffiliated systems, or embedded.”

CISA did not respond to requests for comment about whether the January incident is tied to the current campaign.