‘High-Volume’ Extortion Campaign Claims Oracle E-Business Data Theft: Mandiant

The campaign may be linked to the cybercriminal group Clop, previously responsible for a series of widespread data theft attacks, according to Mandiant and Google threat researchers.

Mandiant and Google threat researchers are tracking an extortion campaign that involves claims of “sensitive” data theft from Oracle E-Business Suite customers, the researchers disclosed.

CRN has reached out to Oracle for comment.

[Related: 10 Major Cyberattacks And Data Breaches In 2025 (So Far)]

In an email statement released to media outlets Wednesday, Charles Carmakal, CTO at Google Cloud-owned Mandiant, said that the campaign may be linked to the cybercriminal group Clop. The threat actor previously claimed responsibility for a series of major data theft attacks, including widely felt attacks targeting MOVEit customers in 2023.

Now, Mandiant and the Google Threat Intelligence Group are “actively tracking recent activity involving an actor claiming affiliation with the Clop extortion group,” Carmakal said in the statement.

Extortion emails have been sent to executives at a number of organizations, “claiming to have stolen sensitive data from their Oracle E-Business Suite,” according to the statement from Mandiant and Google.

The “high-volume email campaign” has come from “hundreds” of compromised accounts, Carmakal said.

“The malicious emails contain contact information, and we’ve verified that the two specific contact addresses provided are also publicly listed on the CLOP data leak site,” he said in the statement. “This move strongly suggests there’s some association with Clop and they are leveraging the brand recognition for their current operation.”

However, Mandiant is “still in the early stages of multiple investigations, and have not yet substantiated the claims made by this group,” said Genevieve Stark, head of cybercrime and information operations intelligence analysis at the Google Threat Intelligence Group.

The activity is believed to have begun earlier this week—on or before Monday, according to Stark.

Earlier this year, Oracle privately disclosed to customers that a threat actor had been discovered to have compromised a “legacy” environment in a breach that included the theft of certain log-in credentials, according to a Bloomberg report in April. Oracle did not respond to a CRN request for comment at the time.