Red Hat Breach Worsens as ShinyHunters Demands Ransom
▼ Summary
– Red Hat is being extorted by the ShinyHunters gang, which leaked samples of stolen customer engagement reports containing sensitive client data.
– The breach involved nearly 570GB of compressed data from Red Hat’s internal development repositories, including around 800 CERs, and was initially claimed by the Crimson Collective hacking group.
– ShinyHunters operates as an extortion-as-a-service, partnering with other threat actors to extort companies and taking a share of any ransom payments, typically 25-30%.
– The group has set an October 10th deadline for Red Hat to negotiate a ransom, threatening to publicly leak the stolen data if their demands are not met.
– ShinyHunters is also extorting SP Global on behalf of another threat actor, releasing data samples and setting the same October 10th deadline despite the company previously denying a breach.
The cybersecurity incident at Red Hat has escalated significantly, with the notorious ShinyHunters group now publicly demanding a ransom. This development follows an initial breach disclosure last week by a hacking collective calling itself Crimson Collective, which claimed to have accessed nearly 570GB of compressed data from 28,000 internal development repositories. Among the compromised files are roughly 800 Customer Engagement Reports (CERs), documents that often contain highly sensitive details about client networks, infrastructure, and platform configurations.
After Crimson Collective’s alleged extortion attempts went unanswered by Red Hat, the software company confirmed to media outlets that its GitLab instance, used exclusively for Red Hat Consulting, had been breached. The situation intensified when Crimson Collective announced a partnership with another threat group, Scattered Lapsus$ Hunters, to leverage the newly established ShinyHunters data leak platform. A post on their Telegram channel cryptically referenced historical alliances like NATO, suggesting their collaboration aims to “ruin corporations.”
In a coordinated move, a dedicated entry for Red Hat appeared on the ShinyHunters leak site, accompanied by a sample of the stolen CERs. The leaked documents reportedly include files associated with major organizations such as Walmart, HSBC, Bank of Canada, Atos Group, American Express, the Department of Defence, and Société Française du Radiotéléphone. The hackers have issued an ultimatum, threatening to publicly release the entire dataset on October 10th if their ransom demands are not met.
Behind these public threats lies a broader criminal enterprise. Security researchers have long suspected that ShinyHunters operates an Extortion-as-a-Service (EaaS) model, functioning similarly to Ransomware-as-a-Service gangs. In this arrangement, ShinyHunters acts as a broker for other cybercriminals, managing extortion campaigns in exchange for a percentage of any paid ransoms. This theory is supported by their involvement in multiple high-profile incidents, including attacks on Oracle Cloud and PowerSchool, where they claimed not to be the original hackers but rather facilitators.
A representative from ShinyHunters confirmed this business model privately, stating that they typically receive a 25–30% share of extortion payments, while their partners take the remaining 70–75%. The public launch of their data leak site marks a new phase in their operations, formalizing their EaaS offering. Despite law enforcement actions leading to several arrests linked to the ShinyHunters name in connection with the Snowflake data theft, PowerSchool breaches, and the Breached v2 forum, new extortion attempts continue to emerge under their banner.
In a parallel case, ShinyHunters is also extorting SP Global on behalf of a separate threat actor who allegedly breached the company. Although SP Global previously denied these breach claims, the hackers have now published sample data on the leak site and set the same October 10th deadline. When approached for comment, SP Global maintained its policy of not discussing such allegations publicly, while noting its obligation as a U.S. listed company to disclose any material cybersecurity incidents. Red Hat has not issued any public statement following the latest extortion threats from ShinyHunters.
(Source: Bleeping Computer)
