Google: Clop Hackers Stole Major Data in Oracle Breach
▼ Summary
– The Clop ransomware group began targeting Oracle E-Business Suite instances around August 9 and exfiltrated a significant amount of data.
– Extortion emails were sent to executives at multiple organizations starting September 29 by individuals claiming association with Clop.
– The campaign exploited the zero-day CVE-2025-61882 before patches were available, following months of intrusion activity.
– Google Threat Intelligence Group linked the campaign to Clop (also known as FIN11) based on shared indicators and analysis.
– The threat actor used contact addresses previously listed on Clop’s data leak site and provided legitimate file listings from victim environments as proof.
A significant data breach involving Oracle’s E-Business Suite has been attributed to the notorious Clop ransomware group, according to findings from Google’s Threat Intelligence Group and Mandiant. Investigators believe the attackers began compromising Oracle EBS systems around August 9, successfully extracting a substantial volume of corporate information. The incident highlights ongoing vulnerabilities in widely used enterprise software platforms.
Starting in late September, executives at multiple organizations began receiving extortion emails from individuals claiming affiliation with the Clop operation. These threatening communications demanded payment to prevent public release of stolen data. The extortion campaign appears to be the culmination of months of persistent intrusion activity by the same threat actors.
Security analysts identified that the attackers exploited a previously unknown vulnerability, CVE-2025-61882, before Oracle could develop and distribute protective patches. This zero-day exploitation allowed the hackers to gain unauthorized access to sensitive corporate environments during the critical window before security updates became available.
Google’s threat intelligence unit published analysis on October 9 detailing multiple connections to the Clop group, which security researchers also track as FIN11. The investigation revealed compelling evidence linking the extortion campaign to this specific cybercriminal organization.
The extortion emails directed recipients to contact support@pubstorm.com and support@pubstorm.net – addresses that have appeared on Clop’s official data leak site since at least May 2025. This overlap in communication channels provides strong confirmation of the group’s involvement in both the initial breach and subsequent extortion attempts.
To demonstrate their credibility and pressure victims into paying, the threat actors provided legitimate file listings from compromised EBS environments to several targeted organizations. These file inventories contained data dating back to mid-August 2025, confirming the attackers had accessed and exfiltrated sensitive business information over an extended period.
(Source: InfoSecurity Magazine)
