Full Report
Mandiant and Google are tracking a new extortion campaign where executives at multiple companies received emails claiming that sensitive data was stolen from their Oracle E-Business Suite systems [...]
Analysis Summary
# Incident Report: Clop Extortion Campaign Targeting Oracle E-Business Suite
## Executive Summary
In late September 2025, Mandiant and Google began tracking a large-scale extortion campaign where threat actors sent emails to executives claiming the theft of sensitive data from their organization's Oracle E-Business Suite platforms. While the tactics and email addresses suggest a link to the FIN11/Clop ransomware gang, the actual compromise and data exfiltration remain unsubstantiated by investigators at this early stage. Organizations are advised to urgently investigate their Oracle E-Business Suite environments for suspicious activity.
## Incident Details
- **Discovery Date:** On or before September 29, 2025
- **Incident Date:** Campaign initiated around late September 2025
- **Affected Organization:** Multiple companies targeted (unnamed)
- **Sector:** Various (Implied enterprise/corporate environments utilizing Oracle EBS)
- **Geography:** Global (Implied by nature of targeted groups)
## Timeline of Events
### Initial Access
- **Date/Time:** On or before September 29, 2025
- **Vector:** Claims of compromise within Oracle E-Business Suite systems.
- **Details:** Extortion emails were sent to company executives, asserting that data had been stolen from their EBS platforms. The initial vector for the claimed underlying breach is unconfirmed, though Clop frequently targets MFT/file transfer systems.
### Lateral Movement
- **Details:** No specific details available on lateral movement, as the claims are currently unsubstantiated and the full scope of the alleged initial compromise is unknown.
### Data Exfiltration/Impact
- **Details:** Claimed exfiltration of "sensitive data" from Oracle E-Business Suite systems. Impact is currently based solely on extortion threat; actual data loss is unconfirmed.
### Detection & Response
- **How it was discovered:** Discovery was made by Mandiant and GTIG tracking the high-volume email campaign launched from hundreds of compromised sender accounts.
- **Response actions taken:** Mandiant and GTIG initiated multiple investigations and analysis of the email accounts and claims.
## Attack Methodology
- **Initial Access:** Unknown/Unconfirmed. Likely involves exploitation of software vulnerabilities, consistent with Clop's historical focus on MFT platforms (though Oracle EBS specific vector is not confirmed).
- **Persistence:** Not detailed, but implied if an initial breach occurred.
- **Privilege Escalation:** Tactics unknown.
- **Defense Evasion:** Tactics unknown.
- **Credential Access:** Tactics unknown.
- **Discovery:** Tactics unknown.
- **Lateral Movement:** Tactics unknown.
- **Collection:** Claimed collection from Oracle E-Business Suite systems.
- **Exfiltration:** Claimed large-scale data theft used for leverage.
- **Impact:** Extortion attempt based on the possession of stolen corporate data.
## Impact Assessment
- **Financial:** Unknown at this time, pending confirmation of successful theft and ransom demands.
- **Data Breach:** Sensitive data allegedly stolen from Oracle E-Business Suite. Scope and volume unconfirmed.
- **Operational:** Potential operational disruption if organizations begin extensive internal investigations or if the threat actor successfully deploys destructive elements (though pure extortion is claimed).
- **Reputational:** Potential reputational damage arising from the extortion attempts directed at executives.
## Indicators of Compromise
- **Network indicators:** Emails originating from hundreds of previously compromised accounts.
- **File indicators:** None provided.
- **Behavioral indicators:** High-volume email campaign strongly associated with known Clop/FIN11 infrastructure/contact methods.
## Response Actions
- **Containment measures:** Organizations receiving emails are recommended to immediately investigate their Oracle E-Business Suite environments for unusual access or compromise.
- **Eradication steps:** Not yet applicable as compromise is unconfirmed.
- **Recovery actions:** Not yet applicable.
## Lessons Learned
- **Key takeaways:** The threat actor (potentially Clop/FIN11) has shifted focus or is concurrently targeting Oracle E-Business Suite platforms following previous successes against MFT solutions.
- **What could have been done better:** Organizations using Oracle EBS must ensure these platforms are rigorously patched and monitored, especially given the history of Clop exploiting zero-days in business-critical software.
## Recommendations
- Organizations must immediately audit access logs, configuration, and connectivity related to their Oracle E-Business Suite deployments.
- Verify that all relevant third-party software integrated with EBS is patched against known vulnerabilities, particularly zero-days used by similar groups (as historically seen with Accellion, Serv-U, GoAnywhere, and MOVEit).
- Implement robust network monitoring to detect unusual outbound data transfers from critical business application servers.