Full Report
Lawrence Abrams reports: Mandiant and Google are tracking a new extortion campaign where executives at multiple companies received emails claiming that sensitive data was stolen from their Oracle E-Business Suite systems. According to Genevieve Stark, Head of Cybercrime and Information Operations Intelligence Analysis at GTIG, the campaign began in late September. “This activity began on... Source
Analysis Summary
# Incident Report: CLOP Extortion Campaign Targeting Oracle E-Business Suite Data
## Executive Summary
In late September 2025, a high-volume extortion campaign linked to the notorious CLOP group (and showing strong ties to FIN11) began targeting numerous organizations. The attackers claimed to have successfully breached Oracle E-Business Suite applications and stolen sensitive data. While the claims are currently unverified by investigators, organizations are urged to treat these extortion emails seriously and investigate their environments.
## Incident Details
- **Discovery Date:** On or before September 29, 2025 (when the activity began).
- **Incident Date:** Activity began on or around September 29, 2025.
- **Affected Organization:** Multiple, unnamed companies receiving extortion emails.
- **Sector:** Undisclosed (Implied Enterprise/Business Sector given the target application).
- **Geography:** Not specified, but affecting international organizations targeted via email.
## Timeline of Events
### Initial Access
- **Date/Time:** On or before September 29, 2025.
- **Vector:** Not explicitly stated, but the attackers claim to have breached the victim's Oracle E-Business Suite applications.
- **Details:** The campaign's delivery mechanism involved sending extortion emails from hundreds of compromised, previously utilized email accounts.
### Lateral Movement
- Details not provided, as the report focuses on the extortion phase following alleged access.
### Data Exfiltration/Impact
- **Details:** Attackers claim to have stolen sensitive data from the victims' Oracle E-Business Suite systems. The actual exfiltration is unverified by Mandiant/Google GTIG.
### Detection & Response
- **How it was discovered:** Mandiant and Google Threat Intelligence Group (GTIG) began tracking the campaign as extortion emails were sent to company executives.
- **Response actions taken:** Mandiant and Google are actively investigating multiple incidents. Organizations receiving threats are strongly recommended to investigate their environments for threat actor activity.
## Attack Methodology
- **Initial Access:** Allegedly via compromise of Oracle E-Business Suite applications.
- **Persistence:** Not explicitly detailed, but implied ongoing access to maintain data staging/exfiltration.
- **Privilege Escalation:** Not explicitly detailed.
- **Defense Evasion:** Utilizing hundreds of compromised email accounts to send initial contact, leveraging FIN11 tactics.
- **Credential Access:** Not explicitly detailed.
- **Discovery:** Implied reconnaissance was necessary to identify and target Oracle E-Business Suite instances.
- **Lateral Movement:** Not explicitly detailed.
- **Collection:** Harvesting sensitive data specifically from Oracle E-Business Suite.
- **Exfiltration:** Implied transfer of collected data, leading to the extortion phase.
- **Impact:** Extortion demand based on the alleged theft of sensitive data.
## Impact Assessment
- **Financial:** Potential costs related to incident response, remediation, and potential ransom payment (if paid).
- **Data Breach:** Stolen data is implied to be "sensitive data" from Oracle E-Business Suite. Scope is unverified.
- **Operational:** Unknown operational impact unless the compromise is confirmed and requires system shutdowns.
- **Reputational:** Significant reputational risk due to association with the CLOP brand and data loss claims.
## Indicators of Compromise
- **Network indicators:** None provided/defanged (specific IPs/domains not disclosed in the summary).
- **File indicators:** None provided.
- **Behavioral indicators:** Use of hundreds of **compromised email accounts** for mass outreach; contact addresses linked to the official CLOP data leak site (e.g., `[email protected]`, `[email protected]`).
## Response Actions
- **Containment measures:** Not specified, but immediate advice is for organizations to investigate environments.
- **Eradication steps:** Not specified.
- **Recovery actions:** Not specified.
## Lessons Learned
- **Key takeaways:** Threat actors, potentially FIN11 affiliated, are leveraging the CLOP brand name to maximize extortion pressure. High-volume campaigns leveraging established TTPs (like using previously compromised email infrastructure) are ongoing.
- **What could have been done better:** Organizations need continuous monitoring of critical applications like Oracle E-Business Suite for signs of data staging or unusual connectivity, given the known targeting.
## Recommendations
- **Prevention measures for similar incidents:** Conduct immediate threat hunting across environments, prioritizing any systems connected to or hosting Oracle E-Business Suite, looking for indicators of compromise or unauthorized data movement. Investigate external communications regarding potential data exposure.