Full Report
Red Hat Consulting breach puts over 5000 high profile enterprise customers at risk — in detailLast week, a little known extortion group called Crimson Collective caught my attention. At the time they only had 22 followers on Telegram.Red Hat confirmed the breach later that day, and started notifying impacted customers. Red Hat Consulting are consultants who come in to large enterprises to deal with complex technology problems. It is pretty clear their documentation and source code around customers has been stolen.Brian Krebs noticed something interesting:Namely, Miku is allegedly a Telegram username for Thalha Jubair, a UK teenager of LAPSUS$ fame. Thalha is supposed to be remanded in custody pending trial, after the NCA accused him of being a member of Scattered Spider:https://www.nationalcrimeagency.gov.uk/news/two-charged-for-tfl-cyber-attackNotable also is Crimson Collective’s first listed victim is the telco Claro — the first victim of LAPSUS$ back in 2021. Additionally, with the Red Hat Collective hack they highlight Vodafone in screenshots — who were also a target of LAPSUS$ back in 2022.Fast forward to the weekend, where Scattered LAPSUS$ Hunters posted an entry for Red Hat on their newly formed portal:The portal has all the hallmarks of LAPSUS$ activity, for example typo’ing words which have been typo’d before, casual racism in the HTML comments, jokes, and.. Pokemon tunes.The Red Hat compromise date is listed as 13th September 2025, before Thalha was charged with the Transport for London hack.The data is legitimate. They posted a file tree as proof, running into 370,852 directories, 3,438,976 files.They also posted sample CERs — Consultancy Engagement Reports — for 7 organisations: AIR, AMEX_GBT, Atos_Group (NHS Scotland), BOC, HSBC and Walmart.https://medium.com/media/c619dac5f0d8c1c017f2f63b7579ffec/hrefEarlier today, they posted another 2.2gb of sample data for Red Hat — which was a ZIP file containing the longest file tree I’ve ever seen. It shows just over 32 million files have been stolen.The file tree suggests over 5000 enterprise orgs are impacted, and includes a mix of Consultancy Engagement Reports, source code and other bits and bobs around said customers.Some of the data is obviously sensitive, for example .pfx files (private certificates, which should never be made public) — in this case for ING Bank and Delta airlines:My feeling — Red Hat should not pay the extortion as it is encouraging more of these kind of attacks, and somebody probably wants to check Thalha doesn’t have an Amazon Fire Stick if he’s still in custody.Impacted organisations should reach out to Red Hat Consulting support, and obtain the stolen files — and take remediation activity, e.g. changing certificates, stored credentials etc, and plan from the assumption all the files will be made public in the future as it’s pretty clear they’ve been traded around online already.You can follow me on Mastodon for updates on this subject if you want.Red Hat Consulting breach puts over 5000 high profile enterprise customers at risk — in detail was originally published in DoublePulsar on Medium, where people are continuing the conversation by highlighting and responding to this story.
Analysis Summary
# Incident Report: Red Hat Consulting Customer Data Extortion
## Executive Summary
Red Hat Consulting experienced a data breach resulting in the exfiltration of documentation and source code belonging to over 5,000 enterprise customers. The extortion was claimed by a little-known group, Crimson Collective, whose alleged association links back to individuals tied to the LAPSUS$ group. The stolen data includes sensitive materials like Consultancy Engagement Reports (CERs) and private certificates, requiring immediate remediation actions by impacted organizations.
## Incident Details
- Discovery Date: "Last week" (relative to the article's Oct 6, 2025 publication date, suggesting around late Sep/early Oct 2025)
- Incident Date: Confirmed compromise date listed by attackers is **September 13th, 2025**.
- Affected Organization: Red Hat Consulting
- Sector: IT Consulting / Technology Services
- Geography: Global (serving high-profile enterprise customers worldwide)
## Timeline of Events
### Initial Access
- Date/Time: On or before **September 13th, 2025** (compromise date listed by attackers).
- Vector: Not explicitly stated, but likely related to the compromised environment of Red Hat Consulting.
- Details: Attackers gained access to Red Hat Consulting systems containing customer data.
### Lateral Movement
- *Information not explicitly detailed in the provided text.*
### Data Exfiltration/Impact
- Date/Time: Post-September 13th, 2025.
- Details: Attackers exfiltrated a significant volume of data, eventually evidenced by posts showing over **32 million files** spanning 370,852 directories. This included Consultancy Engagement Reports (CERs) for major organizations (AIR, AMEX\_GBT, Atos\_Group (NHS Scotland), BOC, HSBC, Walmart) and sensitive files like **.pfx private certificates** for ING Bank and Delta Airlines.
### Detection & Response
- Date/Time: "Last week" (Discovery/Public Acknowledgment).
- Details: Red Hat confirmed the breach "later that day" after the extortion group first gained attention and began notifying impacted customers.
## Attack Methodology
- Initial Access: Unknown, but implied access allowing large-scale data theft from consulting assets.
- Persistence: *Information not explicitly detailed.*
- Privilege Escalation: *Information not explicitly detailed, but necessary to access diverse customer data.*
- Defense Evasion: *Information not explicitly detailed.*
- Credential Access: *Information not explicitly detailed, but likely involved credential theft to access sensitive systems/storage.*
- Discovery: Attackers likely mapped the environment to identify valuable customer data structures (CERs, source code).
- Lateral Movement: *Information not explicitly detailed.*
- Collection: Gathering customer-specific documents, source code, and configuration files, including private certificates.
- Exfiltration: Data was leaked in stages, initially showing proof of life (file tree, 7 CER samples) and later substantial ZIP files (2.2GB sample).
- Impact: Extortion attempt by "Crimson Collective" linked to LAPSUS$/Scattered Spider actors.
## Impact Assessment
- Financial: Not quantified (Red Hat advised against paying extortion).
- Data Breach: Massive. Over **5,000 enterprise customers** exposed. Data includes source code, Consultancy Engagement Reports (CERs), and sensitive assets such as **private PFX certificates** belonging to clients like ING Bank and Delta Airlines.
- Operational: Potential operational disruption for impacted clients who must now assume their consultation details and code are public.
- Reputational: Significant reputational damage to Red Hat Consulting due to the scope and sensitivity of the compromised customer data.
## Indicators of Compromise
- Network indicators: N/A (No specific IPs or domains provided beyond the threat actors' Telegram presence).
- File indicators: Specific samples mentioned include CER files for 7 named organizations; ZIP files containing over 32 million files. Presence of **.pfx files** for ING Bank and Delta Airlines.
- Behavioral indicators: Extortion posts on Telegram by "Crimson Collective"; subsequent posting of data on a "Scattered LAPSUS$ Hunters" portal exhibiting LAPSUS$-like characteristics (typos, specific cultural references).
## Response Actions
- Red Hat Confirmation: Red Hat confirmed the breach on the day the threat actor gained attention.
- Customer Notification: Red Hat started notifying impacted customers.
- Recommended Remediation (by analyst): Impacted organizations should contact Red Hat Consulting support to obtain stolen files, perform immediate remediation (e.g., changing certificates, stored credentials), and plan for all data being made public.
## Lessons Learned
- Supply Chain Risk: The incident highlights the significant security risk inherited when third-party consultants (like Red Hat Consulting) hold vast amounts of sensitive client data outside the primary organizational perimeter.
- Insider/Affiliated Threat: The rapid surfacing of links to known threat actors (Thalha Jubair/LAPSUS$) suggests a potential connection to established hacking groups, even if operating under a new banner ("Crimson Collective").
- Sensitive Data Management: Critical assets like private certificates (.pfx files) were present in the data repository accessible via the consulting engagement material, indicating insufficient segmentation or access control for highly sensitive client secrets.
## Recommendations
- Immediate Remediation: All 5000+ impacted customers must urgently revoke and reissue any credentials, certificates (especially PFX files), and sensitive API keys referenced in engagement reports or source code obtained from Red Hat Consulting.
- Data Governance Review: Red Hat Consulting must immediately audit what level of client proprietary data and secrets are stored on consulting platforms, especially customer-facing engagement reports.
- Zero Trust for Vendors: Implement stricter Zero Trust principles for third-party consultants, ensuring least privilege access necessary only for the scope of their current work, minimizing the "blast radius" if their access is compromised.