The cyberattack on software company Red Hat has taken a new turn, with the hacker group ShinyHunters now joining the extortion attempt. The criminals published examples of stolen customer data on their own data breach platform. This seems to escalate the incident further.
The attack was initially claimed by a group known as the Crimson Collective. They claimed to have stolen nearly 570 gigabytes of internal data from some 28,000 development repositories. According to the attackers, the loot also includes hundreds of so-called Customer Engagement Reports (CERs), which contain confidential information about customers’ infrastructure and systems. When Red Hat did not respond to their extortion attempt, the criminals sought cooperation with other groups.
Reports from BleepingComputer indicate that Crimson Collective and Scattered Lapsus$ Hunters are collaborating and utilizing the ShinyHunters data leak site to exert pressure on Red Hat. In messages on Telegram, the hackers described their collaboration as a new alliance aimed at disrupting large companies.
Red Hat is now listed on the ShinyHunters website. The listing warns that the stolen data will be published on October 10 if the company does not enter into negotiations. According to the hackers, the sample files released include reports from Walmart, HSBC, the Bank of Canada, Atos Group, American Express, the US Department of Defense, and French telecom company SFR. Red Hat has confirmed to BleepingComputer that the attack is related to a GitLab environment used exclusively by the consulting division, but the company has not yet publicly responded to the new extortion threat.
No breach of GitLab infrastructure
Red Hat has since shared an update on the incident, as reported by Techzine. According to the company, immediate action was taken upon discovery of the breach. This resulted in the attacker losing access. The affected GitLab instance was isolated and the authorities were notified. The investigation into the circumstances is still ongoing.
GitLab emphasizes that there was no breach of its infrastructure. The incident only affects Red Hat’s self-managed version of GitLab Community Edition. Customers running this free version are responsible for security, updates, and access management.
ShinyHunters’ involvement fits into a broader pattern of what security researchers describe as “extortion-as-a-service.” In this model, a group offers its infrastructure and reputation to other criminals in exchange for a share of the proceeds, much like ransomware groups do. ShinyHunters claims to receive about a quarter of the ransom, with the rest going to the hackers who carry out the attacks.
In addition to Red Hat, financial services provider SP Global has also been named as a victim on the ShinyHunters platform. The company has not commented on the allegations, but emphasizes that as a publicly traded company, it is required to disclose significant cyber incidents.