Google has warned that executives are being targeted by a wave of extortion emails claiming access to sensitive Oracle software data. The campaign, linked to the Cl0p ransomware group, highlights a growing trend of cybercriminals bypassing company networks to pressure leadership directly.
The company said in a statement on Wednesday that it had observed “a high-volume extortion email campaign directed at executives of multiple organisations.” The messages claimed that attackers had stolen information from Oracle’s E-Business Suite, a widely used enterprise resource planning platform.
Google added that it “does not currently have sufficient evidence to definitively assess the veracity of these claims.” It did not disclose how many executives had been contacted, nor which industries had been affected.
The emails reference the Cl0p ransomware gang, a group responsible for some of the largest data theft incidents in recent years. Cl0p is known for abandoning traditional encryption-based ransomware and instead threatening to leak stolen information unless companies pay.
Reuters reported that Oracle has not yet responded to media requests for comment. Meanwhile, security researchers told CyberScoop that they were monitoring Oracle environments for signs of compromise, though none had been confirmed.
Cybersecurity analysts note that the direct targeting of executives, rather than IT teams, is becoming increasingly common. In 2023, reports from Fortune highlighted hackers using bespoke phishing tactics against C-suite members, often exploiting personal accounts. Earlier this year, UK retailer Marks & Spencer confirmed that extortion emails had been sent directly to its senior leadership following a breach.
The approach creates heightened pressure, bypassing traditional detection systems and placing the burden directly on decision-makers. For companies, the reputational and regulatory stakes of a potential breach make such campaigns difficult to ignore, even when the underlying claims are unverified.
At present, there is no confirmation that Oracle’s systems have been breached or that any customer data has been exposed. Google’s advisory stressed that investigations remain ongoing.
Still, the incident underscores both the persistence of Cl0p and the vulnerability of executives as a direct attack vector. With organisations continuing to digitise core business functions, attackers appear intent on exploiting human-level access as much as technical flaws.
