Oracle Cyber Attack Hits 100 Firms as Clop Group Launches Major Extortion Campaign

More than one hundred companies are reeling from a large-scale cyber attack targeting Oracle’s business product suite, with details emerging that shed light on the increasing sophistication of this new breed of hackers. Google’s Threat Intelligence Group has revealed that the Russian-speaking Clop group of cybercriminals, widely active since 2020, is believed to be behind the hack, although the identity of the perpetrators is still under investigation. Intelligence from CrowdStrike points to involvement from the Graceful Spider group, which has previously employed Clop’s ransomware tools.

The cyber attack began to unfold on 29 September, when executives across affected organisations received menacing emails sent from compromised third-party accounts. The messages warned of stolen files from Oracle EBusiness Suite systems and threatened public release or sale of sensitive company information. Victims were pressed to negotiate with the hackers in order to ‘save’ their data, with ransom notes brazenly stating that the group seeks neither political motives nor business disruption, yet expects payment for the ‘service’ of keeping the stolen data private.

In their communication, the hackers claimed, ‘We have recently breached your Oracle EBusiness Suite application and copied a lot of documents… You can always save your data for payment’. The attackers issued a thinly veiled threat, cautioning companies not to ‘reach point of no return’. References were made to previous high profile attacks including the 2023 Capita breach in which personal information was stolen, impacting government service providers and local authority contact centres.

Oracle has acted swiftly, urging users to ensure installation of the latest patches and releasing an emergency fix as of 4 October. Google’s analysis reveals that suspicious activity was first observed as early as July and suggests the breach may have begun on 9 August, with attackers exploiting a so called zero day vulnerability in Oracle’s core product suite.

Clop’s latest remarks, delivered via BleepingComputer, further taunted Oracle by attributing the breach to fundamental flaws in the technology provider’s core systems. The cybercriminals maintained that they cause no direct damage and simply ‘expect payment for services’ provided in what is effectively a global extortion campaign targeting major enterprises worldwide.

The incident highlights once again the vulnerability of large organisations to well coordinated and persistent cyber threats. Businesses are urged to review security protocols, stay vigilant for unusual activity and implement immediate updates to all enterprise critical software as this story develops.