TITLE: Oracle EBS Hackers Hit Dozens of Organizations Globally
Widespread Oracle E-Business Suite Cyberattack Uncovered
Security researchers from Google have revealed that a sophisticated cyberattack targeting Oracle E-Business Suite has potentially compromised dozens of organizations worldwide. The ongoing extortion campaign, which security experts have been closely monitoring, appears to have significant reach across multiple sectors and geographic regions.
Cl0p Ransomware Gang Claims Responsibility
The attack came to light when numerous executives at American organizations began receiving threatening emails allegedly from the Cl0p ransomware gang. These communications claimed the attackers had successfully stolen sensitive files from Oracle E-Business Suite systems and demanded payment in exchange for not publishing the stolen data. Initial speculation suggested the campaign might be a bluff, but Oracle’s subsequent release of a security patch addressing a zero-day vulnerability confirmed the seriousness of the threat.
Timeline and Impact of the Attacks
According to Google’s Threat Intelligence Group, the attacks likely began in the first half of August 2025, several weeks before Oracle made the security patch available. Evidence also indicates some initial compromise activity may have occurred as early as July. The researchers confirmed that in multiple instances, threat actors successfully exfiltrated substantial amounts of sensitive organizational data, though the exact number of affected organizations remains unclear.
Uncertain Attribution Points to Multiple Threat Actors
While the ransom notes clearly attribute the attacks to the Cl0p ransomware gang, security researchers have identified patterns suggesting involvement from FIN11, a separate financially motivated threat group. Google’s analysis notes that the methodology—exploiting a zero-day vulnerability in widely used enterprise software followed by large-scale extortion campaigns—matches historical activities typically associated with FIN11.
Security experts are considering several possibilities regarding the relationship between these threat groups. The campaign could represent collaboration between Cl0p and FIN11, with shared tactics and infrastructure. Alternatively, Cl0p might have rented infrastructure from FIN11, or simply been inspired by FIN11’s proven extortion methodologies. The uncertainty highlights the evolving nature of cybercriminal alliances and tactics in the current threat landscape.
Ongoing Investigation and Response
As the investigation continues, organizations using Oracle E-Business Suite are urged to implement the available security patches immediately and review their system access controls. The incident underscores the critical importance of maintaining robust cybersecurity measures and staying informed about emerging threats through reliable security monitoring sources.
