Google has issued a warning that more than 100 organizations may have been compromised in a large-scale hacking campaign linked to the CL0P ransomware group.
The cyberattack targeted Oracle’s E-Business Suite, a widely used enterprise resource planning platform, and resulted in the theft of significant volumes of customer data.
Experts have described the breach, which may have begun as early as July 2025, as one of the most extensive corporate cyber intrusions of the year.
Google Details Scope and Nature of the Attack
According to Google’s Threat Intelligence Group and Mandiant, the attackers exploited a zero-day vulnerability in Oracle’s E-Business Suite, possibly CVE-2025-61882.
The intrusion reportedly began around July 10, with active exploitation detected by August 9, weeks before Oracle released a security patch in September.
Google stated that the hackers exfiltrated large amounts of sensitive data from affected organizations, including customer records, financial information, and supply chain details.
Austin Larsen, a cybersecurity analyst at Google, confirmed dozens of victims and suggested that the scale of previous CL0P campaigns likely means over 100 entities have been affected.
He emphasized that the attackers invested heavily in reconnaissance and pre-attack research, indicating a well-resourced and coordinated operation.
Targeted Software: Oracle’s E-Business Suite
The hackers specifically targeted Oracle’s E-Business Suite, and companies use it to manage critical business functions such as customer and supplier relationships, manufacturing, logistics, and financial operations.
Oracle acknowledged the breach and issued emergency patches on October 4, urging clients to apply all critical updates immediately.
Despite the severity of the attack, Oracle has not released a detailed public statement.
The company previously confirmed that attackers attempted to extort some of its clients, but it has not yet clarified the full extent of the breach.
Google Attribution to CL0P Ransomware Group
Google attributes the campaign to the CL0P ransomware group, which has a history of exploiting vulnerabilities in third-party software.
Security researchers previously linked CL0P to the MOVEit Transfer breach that affected hundreds of organizations globally.
In this latest incident, the group allegedly used a multi-stage Java implant framework to compromise Oracle EBS environments and initiate extortion attempts4.
CL0P has not responded to requests for comment.
In past communications, the group claimed that Oracle had introduced bugs into their core product, suggesting they had known about the vulnerability and left it exploitable for some time.
Global Impact and Security Implications
Security experts have warned that the breach could trigger ripple effects across global supply chains, particularly in regions like Asia and India where organizations widely deploy Oracle’s ERP systems.
Professor Triveni Singh, a cybercrime expert, described the incident as a wake-up call for enterprise security, highlighting the need for proactive vulnerability management and robust incident response protocols.
Google has urged affected organizations to review their systems for indicators of compromise and apply all relevant patches.
The company also released technical guidance to help defenders identify and mitigate the threat.
Note: We are also on WhatsApp, LinkedIn, and YouTube to get the latest news updates. Subscribe to our Channels. WhatsApp– Click Here, YouTube – Click Here, and LinkedIn– Click Here.
