Intel Bulletin: Clop Breach and Red Hat Incident
Blackpoint’s Adversary Pursuit Group (APG) is currently tracking two emerging stories:
- A threat group, “Crimson Collective” has claimed to have breached Red Hat’s private GitHub repositories, resulting in sensitive data exposure for several large and well-known organizations.
- Multiple organizations have received emails claiming that sensitive data was stolen from their E-Business Suite systems, purportedly from the Clop extortion group
Red Hat: Campaign Overview
A threat group by the name of the Crimson Collective has exfiltrated data from Red Hat, including sensitive environment information for the client, such as authentication tokens. The threat actor claims to have exfiltrated around 570 GB worth of data. Early information names numerous well-known organizations impacted by the breach in both the public and private sectors. Additional industry verticals include telecommunications, financial services, information technology, and retail, among others.
Red Hat: Scope and Targeting
The private GitHub account of Red Hat was breached, resulting in the exfiltration of 570 GB worth of data over 28,000 projects, including around 800 Customer Engagement Reports. These CERs can contain sensitive information regarding the named environment, including authentication tokens, full database URIs, network configuration data, VPN configurations, CI/CD secrets, API information, and other sensitive or otherwise private information that could enable threat actor access to the impacted environment.
Some of the named organizations include Bank of America, T-Mobile, AT&T, Kaiser, Mayo Clinic, Walmart, Costco, The US Navy’s Naval Surface Warfare Center, the FAA, the NSA, the US House of Representatives and Senate, ADP, Ally, Cisco, and Deloitte, among many others.
Sources:
Red Hat: Is there attribution or known malware?
The threat actor to take responsibility is known as the Crimson Collective, who is believed to have defaced Nintendo’s website last week.
This activity comes on the heels of several supply chain compromises that have originated from commonly used development packages or compromised GitHub accounts, including the Shai-Hulud npm package compromise and the Salesloft data breach, which originated from a compromised GitHub account.
This highlights an increase in supply chain attacks originating from compromised developer accounts in an effort to push malicious code into known, trusted packages and software.
Clop: Campaign Overview
Security researchers with Google Mandiant and Googe Threat Intelligence Group (GTIG) have reportedly disclosed they are tracking new activity that may be linked to the Clop extortion group. The activity has involved various organizations receiving extortion emails where the threat actor has claimed to have stolen sensitive data from their Oracle E-Business Suite, a widely used enterprise resource planning (ERP) platform that manages financials, human resources, and supply chain operations.
According to the available reports, the activity began on or before September 29, 2025, but researchers are still in the early stages of the investigations and have not substantiated the claims made by the group at the time of writing. The emails are reportedly stemming from hundreds of compromised accounts, with evidence suggesting that at least one of those accounts has been previously associated with activity from FIN11, a known subset of the TA505 threat group.
The malicious emails contain contact information, which are publicly listed on Clop’s data leak site, indicating that the activity is likely associated with Clop. Google has confirmed that while the tactics are similar to known Clop extortion campaigns and the email indicates a potential link, at the time of writing, there is not enough evidence to determine if data has been stolen.
According to reports from Bloomberg, researchers with Halcyon have stated that the initial access method appears to be linked to threat actors compromising user emails and abusing the default password reset function to gain valid credentials of internet-facing Oracle E-Business Suite portals. Additionally, Google and Mandiant have reportedly not identified evidence of a vulnerability or breach in Oracle’s E-Business Suite.
Who is Clop?
The Clop Ransomware group, operated by threat group TA505, has been active since at least 2019 as a ransomware-as-a-service (RaaS) breaching corporate networks, stealing data, and then deploying a ransomware payload to encrypt systems.
In 2020, Clop shifted their tactics to focus less on deploying ransomware payloads to any organization the affiliates could access to focusing on low effort high impact attacks, specifically targeting zero-day vulnerabilities in file transfer platforms to steal data.
- In 2020, Clop operators exploited zero-day vulnerabilities in the Accellion FTA platform impacting nearly 100 organizations.
- In 2021, they exploited a zero-day in SolarWinds Serv-U FTP software
- In 2023, they exploited a zero-day in GoAnywhere MFT platform, impacting over 100 companies
- In 2023, they exploited a zero-day in MOVEit Transfer software, known as their most extensive campaign, impacting thousands of organizations with the group reported to profit between $75 – $100 million
- In 2024, they exploited two zero-day vulnerabilities in Cleo transfer software
- Clop has historically targeted employee and customer personally identifiable information (PII), financial documents, information related to partners and third-party vendors, and more.
Has Blackpoint observed this campaign?
It should be noted that the purpose of this notice is to keep our client base informed and to suggest proactive security checks. At the time of writing (October 2, 2025), Blackpoint’s SOC has not observed malicious activity stemming from these campaigns.
Blackpoint will continue to monitor and provide updates as needed. As always, Blackpoint monitors and takes aggressive action against suspicious and malicious activity within customer environments, including signs of persistence, lateral movement, and threat actor tradecraft. Blackpoint is also closely monitoring this situation to ensure that our security teams have the most relevant and timely intelligence.
Recommendations
- Implement and enforce the practice of least privilege.
- Enforce the use of MFA and VPN
- Ensure default credentials are changed; implement and enforce a strong password policy
- Enhance monitoring of environments for unusual activities that may indicate exploitation attempts.
- Implement network segmentation to isolate critical systems and limit potential lateral movement by attackers.
References
Red Hat Incident
Clop Activity