Cybercriminal group extorts executives after claiming Oracle apps breach

They claim to be affiliated with a criminal outfit called Cl0p, which began sending extortion emails on or before Sept 29, according to the head of cybercrime at Google Threat Intelligence Group

By Patrick Howell O'Neill and Margi Murphy

 

Executives at large organizations are being extorted by a notorious ransomware group, which claims to have stolen data from them via Oracle Corp.’s popular E-Business Suite applications, according to a Google cybersecurity executive and three others familiar with the matter. 

The group, claiming to be affiliated with a criminal outfit called Cl0p, began sending extortion emails on or before Sept. 29, according to Genevieve Stark, head of cybercrime at Google Threat Intelligence Group. The emails were sent from hundreds of compromised third-party accounts and claim the theft of data, she said.

 

The Oracle product runs core business operations including financial, supply chain and customer relationship management.

 

The extortion emails include sloppy English and grammar, according to one of the people, but are considered characteristic of the group. At least one of the email addresses used on the extortion notes was previously used by an affiliate of Cl0p, and the messages contain contact details that are listed on Cl0p’s own website, Stark said.

 

Alphabet Inc’s Google doesn’t yet have sufficient evidence to verify the claims made in the extortion demands, she said. The other people familiar with the matter, who asked not to be named discussing private information, didn’t disclose the targets of the extortion letters or whether any of the victims had paid a ransom.

 

An Oracle spokesperson didn’t respond to a request for comment.

 

Cl0p is known for targeting large companies with sophisticated malware to lock files and make ransom demands for their deletion. In 2023, Cl0p was accused of exploiting weaknesses in MOVEit, a file-transfer product used by companies and organizations to transmit sensitive data, and it claimed to have obtained data from hundreds of organizations.

 

Shell Plc, IAG SA’s British Airways and the British Broadcasting Corp. were among the victims of that earlier attack. 

 

In June 2023, the US Cybersecurity and Infrastructure Security Agency issued an advisory about Cl0p, stating it was “one of the largest phishing and malspam distributors worldwide,” estimating it to have compromised more than 3,000 organizations in the US and 8,000 globally.