Security researchers from Mandiant and Google are investigating a new extortion campaign targeting corporate executives with claims that hackers stole data from Oracle’s E-Business Suite systems.
According to BleepingComputer, the campaign began in late September and involves emails sent from hundreds of compromised accounts. The messages threaten executives with the release of sensitive data allegedly stolen from Oracle systems unless ransom demands are met.
Charles Carmakal, CTO of Mandiant – Google Cloud, said at least one email account used in the campaign had ties to FIN11, a financially motivated group known for ransomware and extortion schemes. The extortion emails also contained contact details linked to the Clop ransomware gang, raising suspicions of their involvement.
Google Threat Intelligence Group (GTIG) noted that the claims remain unverified. “Investigations are still in the early stages, and the claims made by the group behind the campaign have not yet been substantiated,” said Genevieve Stark, head of cybercrime intelligence at GTIG.
Following initial reports, individuals claiming to represent Clop contacted BleepingComputer directly, asserting responsibility for the campaign and alleging that they exploited a flaw in Oracle’s software. “Soon all will become obvious that Oracle bugged up their core product and once again, the task is on Clop to save the day,” the group claimed. They offered no proof, only insisting that they “do not damage systems” but expect “payment for services” to protect affected companies.
The U.S. State Department is offering a $10 million reward for information linking Clop’s ransomware activities to foreign governments, underscoring the threat level.
At this stage, there is no confirmed evidence that Oracle systems were actually breached, and researchers continue to investigate the extent of the campaign.