Two major industrial companies, Schneider Electric and Emerson, have been publicly named by cybercriminals as victims of an extensive data theft campaign targeting Oracle E-Business Suite (EBS) instances. Threat actors, believed to be a cluster of the sophisticated, profit-driven FIN11 group, exploited vulnerabilities within the Oracle systems to allegedly steal data from dozens of organizations worldwide. This campaign is just one of several large-scale operations linked to the group, which has previously targeted file transfer products like MOVEit and Fortra.
The hackers are now listing alleged victims on the Cl0p ransomware leak website, where they have also begun publishing purported corporate data. The site contains links to a staggering 2.7 terabytes of archive files allegedly stolen from Emerson and an additional 116 gigabytes of information claimed to belong to Schneider Electric. Independent structural analysis of the leaked file trees and metadata strongly suggests that the compromised information in both cases originated from an Oracle environment, confirming the success of the EBS exploit.
While the evidence points toward a compromise, neither Schneider Electric nor Emerson has issued a public statement regarding the claims, nor have they responded to repeated requests for comment. This silence is likely due to ongoing internal security investigations, a common practice among affected organizations. However, several other major institutions caught in the sweep have confirmed their impact, including prominent organizations like Harvard University, South Africa’s Wits University, and American Airlines subsidiary Envoy Air.
The threat group responsible for the Oracle EBS attacks has a history of conducting large, multi-victim campaigns, including those against Cleo, MOVEit, and Fortra. Their strategy involves compromising massive amounts of data and then publicly shaming victims to coerce ransom payments. Although historical evidence suggests that these cybercriminals rarely make false claims of a breach, analysts note they have been observed exaggerating the sensitivity of the exfiltrated data to increase pressure on the compromised companies.
For Schneider Electric and Emerson, being targeted by high-profile cybercriminals is not a new experience. Just last year, the Medusa ransomware group claimed to have exfiltrated nearly one terabyte of data from Emerson. Similarly, Schneider Electric confirmed being targeted by cybercriminals on at least two separate occasions in the preceding year. This latest Oracle EBS incident underscores the persistent and significant challenge that sophisticated, profit-driven threat actors pose to even the world’s largest industrial organizations.
Reference:
