Full Report
An extortion group calling itself the Crimson Collective claims to have breached Red Hat's private GitLab repositories, stealing nearly 570GB of compressed data across 28,000 internal projects. [...]
Analysis Summary
# Incident Report: Red Hat GitLab Repository Breach by Crimson Collective
## Executive Summary
Red Hat confirmed a security incident affecting its consulting business, following claims by the extortion group 'Crimson Collective' that they successfully breached a private GitLab instance. The attackers claim to have stolen approximately 570GB of compressed data, including 28,000 internal projects and sensitive Customer Engagement Reports (CERs) potentially exposing customer network details and authentication tokens. Response actions included initiating necessary remediation steps, though Red Hat maintains the integrity of its core products and software supply chain remains unaffected.
## Incident Details
- Discovery Date: Approximately two weeks after the intrusion occurred, as claimed by the attackers.
- Incident Date: Occurred approximately two weeks prior to October 2, 2025.
- Affected Organization: Red Hat (specifically concerning their consulting business GitLab instance).
- Sector: Technology/Software Services.
- Geography: Not specified, but the affected assets are internal to Red Hat.
## Timeline of Events
### Initial Access
- Date/Time: Approximately two weeks prior to October 2, 2025.
- Vector: Implied compromise of authentication credentials or access within the private GitLab environment.
- Details: Attackers claim they found authentication tokens, full database URIs, and other private information within Red Hat code and CERs.
### Lateral Movement
- Details: Unknown, but the attackers allegedly used stolen credentials and configuration data from CERs to potentially gain access to *downstream customer infrastructure*.
### Data Exfiltration/Impact
- Details: Theft of nearly 570GB of compressed data across 28,000 internal projects. Allegedly includes approximately 800 Customer Engagement Reports (CERs) containing infrastructure details, configuration data, and authentication tokens for Red Hat customers.
### Detection & Response
- Detection: Attackers announced the breach and published data listings on Telegram, prompting external scrutiny. Red Hat confirmed awareness of reports regarding an incident related to their consulting business.
- Response Actions: Red Hat initiated "necessary remediation steps." The attackers attempted extortion, receiving a templated reply instructing them to submit a vulnerability report, which was then routed among security and legal staff.
## Attack Methodology
- Initial Access: Exploitation of hardcoded configuration data (authentication tokens, database URIs) found within code repositories or CERs on the GitLab instance.
- Persistence: Not explicitly mentioned, but assumed by maintaining access long enough to exfiltrate 570GB of data.
- Privilege Escalation: Not explicitly mentioned, though access to private GitLab repositories and internal data suggests elevated access was achieved.
- Defense Evasion: Not detailed.
- Credential Access: Theft of authentication tokens and highly sensitive configuration data (from CERs).
- Discovery: Attackers analyzed exfiltrated data (code/CERs) to identify valuable intellectual property and customer secrets.
- Lateral Movement: Allegedly used harvested tokens/data to attempt access to downstream customer infrastructure.
- Collection: Gathering of 28,000 internal projects and 800 Customer Engagement Reports (CERs).
- Exfiltration: Theft of approximately 570GB of compressed data.
- Impact: Potential compromise of customer environments due to leaked infrastructure details and tokens found in CERs.
## Impact Assessment
- Financial: Not disclosed, but likely significant due to remediation and potential customer notification costs.
- Data Breach: Approximately 570GB of internal data and 800 Customer Engagement Reports (CERs) containing infrastructure specifics and potentially customer authentication tokens.
- Operational: Red Hat stated no reason to believe the issue impacts core software services or products, suggesting core operations were maintained.
- Reputational: High, due to the breach involving sensitive customer consulting documents from major organizations (e.g., Bank of America, Walmart, US Navy).
## Indicators of Compromise
*NOTE: Indicators are derived from attacker claims and would require confirmation by Red Hat during investigation.*
- Network indicators: Full database URIs (defanged).
- File indicators: Customer Engagement Reports (CERs) archived from 2020-2025; GitLab repository directory listings.
- Behavioral indicators: Successful exfiltration exceeding 500GB from an internal GitLab server; Extortion attempt via Telegram post.
## Response Actions
- Containment: Initiation of necessary remediation steps following confirmation of the incident in the consulting sector area.
- Eradication: Implied rotation or invalidation of compromised authentication tokens and database access credentials.
- Recovery: Restoring affected systems and assuring the integrity of Red Hat services and supply chain (which the company claims confidence in).
## Lessons Learned
- Git repository security hardening is critical, especially when containing sensitive operational documentation like CERs.
- Over-reliance on security controls that allow hardcoded authentication tokens or sensitive configuration data within code bases significantly increases breach risk.
- Incident response must rapidly assess the implication of compromised data on third-party/customer environments, not just internal systems.
## Recommendations
- Immediately audit all source code repositories (GitLab/GitHub) for hardcoded secrets, tokens, and infrastructure URIs using automated secret scanning tools.
- Review the data classification and handling procedures for Customer Engagement Reports (CERs) to ensure they are not stored where general development access is present.
- Enhance access controls and segmentation around consulting-specific development environments, isolating them from core product infrastructure.