Full Report
Cybercrime crew has ravaged multiple private organizations using Oracle EBS zero-day for months The UK's National Health Service (NHS) is investigating claims of a cyberattack by extortion crew Clop.…
Analysis Summary
# Incident Report: Clop Extortion Campaign Targeting Oracle EBS Exposing NHS Claims
## Executive Summary
The ransomware/extortion group Clop has claimed responsibility for compromising the UK's National Health Service (NHS) systems, alongside multiple other private organizations, through the exploitation of an Oracle E-Business Suite (EBS) zero-day vulnerability. The exact extent of the NHS compromise is unconfirmed, as the threat actor's listing provides no specific details about the breached branch. The NHS is currently investigating the claim in coordination with the National Cyber Security Centre (NCSC).
## Incident Details
- Discovery Date: November 11, 2025 (Date Clop listed the NHS on their leak site)
- Incident Date: Prior to November 11, 2025 (Attacks have been ongoing for "months")
- Affected Organization: UK National Health Service (NHS) - Specific trust/branch currently unknown.
- Sector: Healthcare / Public Sector
- Geography: United Kingdom (UK)
## Timeline of Events
### Initial Access
- Date/Time: Ongoing for "months" prior to Nov 2025 assessment.
- Vector: Exploitation of an Oracle E-Business Suite (EBS) zero-day vulnerability.
- Details: Attackers leveraged the vulnerability in Oracle EBS packages used by targeted entities.
### Lateral Movement
- Currently **Unknown/Not Disclosed** in the provided source.
### Data Exfiltration/Impact
- **Claimed:** Data related to an NHS entity was exfiltrated, leading to inclusion on Clop's leak site.
- **Confirmed:** No data has been published by Clop confirming the breach severity or specific contents.
### Detection & Response
- **Detection:** Detected when Clop added the `nhs.uk` domain to their public leak site on November 11, 2025.
- **Response actions taken:** NHS England's cybersecurity team is actively investigating the claim and working closely with the National Cyber Security Centre (NCSC).
## Attack Methodology
- Initial Access: Exploitation of a **Zero-day vulnerability in Oracle EBS**.
- Persistence: *Unknown*
- Privilege Escalation: *Unknown*
- Defense Evasion: *Unknown*
- Credential Access: *Unknown*
- Discovery: *Unknown*
- Lateral Movement: *Unknown*
- Collection: *Unknown*
- Exfiltration: *Unknown*
- Impact: Extortion attempt via public listing.
## Impact Assessment
- Financial: *Not specified.* (The article notes the NHS traditionally does not pay ransoms).
- Data Breach: Claimed breach involving sensitive patient data characteristic of the NHS, but **unconfirmed**.
- Operational: *No confirmed operational disruptions mentioned*.
- Reputational: Potential reputational damage due to inclusion on a high-profile extortion site.
## Indicators of Compromise
- Network indicators: *None provided.*
- File indicators: *None provided.*
- Behavioral indicators: *None provided.*
## Response Actions
- Containment measures: *Not specified.*
- Eradication steps: *Not specified.*
- Recovery actions: *Not specified.*
- **Coordination:** Working closely with the NCSC to investigate the claims.
## Lessons Learned
- **Supply Chain Risk:** Reliance by critical infrastructure (like parts of the NHS) on externally managed or legacy enterprise software (Oracle EBS) creates significant attack surface ripe for zero-day exploitation.
- **Vulnerability Management Gap:** The attack vector suggests a gap in patching or segmentation protecting the Oracle EBS instances relevant to the NHS.
- **Extortion Tactic:** Clop utilizes broad, non-specific claims (e.g., listing the entire NHS domain) to apply pressure before data publication.
## Recommendations
- **Urgent Patching/Segmentation:** Immediately audit and patch all Oracle EBS environments across all NHS trusts, or severely restrict external access until patching is confirmed.
- **Incident Verification Protocol:** Establish a rapid protocol with NCSC to verify threat actor claims quickly, especially when multi-agency data exposure is implied.
- **Ransom Policy Reinforcement:** Reaffirm and legally enforce the "no ransom payment" policy, focusing investment on resilience and rapid recovery rather than short-term mitigation via payoffs.