Industrial giants Schneider Electric and Emerson have been named by cybercriminals as victims of the recent campaign targeting Oracle E-Business Suite (EBS) instances.
Threat actors, presumably a cluster of the FIN11 profit-driven threat group, have exploited Oracle EBS vulnerabilities to steal data from dozens of organizations, including major companies.
The hackers have started naming alleged victims on the leak website set up for the Cl0p ransomware, and in some cases they have started releasing data that allegedly originates from the targeted companies.
Two of those alleged victims are Schneider Electric and Emerson, neither of which has responded to SecurityWeek’s repeated requests for comment.
The Cl0p leak website contains links to 2.7 TB of archive files storing information allegedly obtained from Emerson and 116 GB of archive files with information allegedly belonging to Schneider Electric.
SecurityWeek’s investigation, limited to a structural analysis of the leaked file tree and associated metadata, indicates that in both cases the data likely originates from an Oracle environment.
Security researcher Dominic Alvieri has independently confirmed that the leaked data was likely obtained as a result of the recent Oracle EBS hack.
SecurityWeek has reached out to several of the companies listed on the Cl0p leak website and none of them has responded, likely due to their ongoing investigations.
However, major organizations such as Harvard University, South Africa’s Wits University, and American Airlines subsidiary Envoy Air have publicly confirmed being impacted.
The threat group that is behind the recent Oracle EBS hack is also believed to have conducted similar campaigns targeting Cleo, MOVEit, and Fortra file transfer products. Each of those operations targeted many organizations and resulted in massive amounts of data being compromised.
While historical evidence suggests the cybercriminals responsible for the Oracle EBS campaign are unlikely to make false claims of compromise, they, and other profit-driven groups, have been observed exaggerating the sensitivity of the exfiltrated data.
If confirmed, this would not be the first time Schneider Electric and Emerson have been targeted by cybercriminals.
Roughly one year ago, the Medusa ransomware group claimed to have stolen nearly 1 TB of data from Emerson and demanded a $100,000 ransom.
Schneider Electric last year confirmed on at least two separate occasions that it had been targeted by cybercriminals.
Related: CISA Confirms Exploitation of Latest Oracle EBS Vulnerability
Related: Toys ‘R’ Us Canada Customer Information Leaked Online
