UK NHS Named in Clop Gang’s Exploits of Oracle Zero-Days

Data Privacy
,
Data Security
,
Fraud Management & Cybercrime

British Health System Investigates Claim Amid Wave of Enterprise Data Thefts

Marianne Kolbasuk McGee (HealthInfoSec) •
November 13, 2025    

See Also: OnDemand | Transform API Security with Unmatched Discovery and Defense

Clop’s addition of the NHS on the gang’s dark website follows a long and growing list of the group’s other alleged victims, including organizations that appear to have been targeted in recent exploits of Oracle E-Business suite vulnerabilities.

The attacks involving the Oracle E-Business Suite first came to light on Sept. 29, when attackers claiming to be affiliated with the Russian-speaking ransomware group Clop – aka Cl0p – began emailing victims, threatening to leak stolen data unless they paid cryptocurrency ransoms worth up to $50 million (see: Extortionists Claim Mass Oracle E-Business Suite Data Theft).

The Washington Post, which is also listed on Clop’s dark website, this week confirmed it was a victim of a hack tied to the Oracle E-Business Suite software exploits.

In a breach report filed on Wednesday to Maine regulators, The Washington Post said that on Sept. 29, the company was contacted by a bad actor who claimed to have gained access to its Oracle E-Business Suite applications.

The Post’s investigation confirmed that the attacker exploited the software vulnerabilities and determined that between July 10 and Aug. 22 some data was accessed and acquired by hackers.

The Washington Post said the hack affected 9,720 people including current and former employees and contractors. Compromised information varies among individuals but may include names, bank account numbers and associated routing numbers, Social Security numbers and tax ID numbers.

The Washington Post did not immediately respond to ISMG’s request for comment about Clop’s involvement in the incident.

NHS Hack

The NHS in late October posted an advisory about the vulnerabilities, warning NHS organizations that the Oracle software vulnerabilities – CVE-2025-53072 and CVE-2025-62481, “if successfully exploited, could lead to unauthenticated takeover of Oracle Marketing.”

An NHS spokesperson in a statement to Information Security Media Group confirmed that the NHS is aware of being listed on the dark web as a recent hacking victim. But the NHS did not specifically address Clop’s claims or respond to ISMG’s inquiry asking whether the exploit relates to the Oracle software vulnerabilities.

“We are aware that the NHS has been listed on a cybercrime website as being impacted by a cyberattack, but no data has been published,” said an NHS England spokesperson. “Our cybersecurity team is working closely with the National Cyber Security Centre to investigate.”

The alleged compromise of the U.K.’s NHS would be significant on several levels, said Christiaan Beek, senior director of threat intelligence and analytics at security firm Rapid7.

“The NHS is not only a critical part of the U.K.’s national infrastructure, it’s also one of the largest public healthcare systems in the world, serving millions daily. Any disruption or exposure of sensitive data could have far-reaching societal consequences,” he said.

“This tactic moves the threat from traditional ‘endpoint ransomware’ into back-office business applications that are highly sensitive for a healthcare organization,” he said. Exposure could include payroll, vendor invoices and even internal communications, Beek said.

Growing List of Victims

While the full scope of these recent attacks involving Oracle E-Business Suite software is still emerging, Rapid7’s intelligence suggests dozens of organizations globally may have been affected by similar extortion tactics, he said.

“From our own observations of leaked datasets related to the Oracle E-Business breach, such as The Washington Post incident, the compromised data often includes employee directories, financial transactions, vendor payments and wire transfer records,” Beek said.

Clop is known for broad, highly orchestrated extortion attacks that don’t focus on a single sector or geolocation but rather seek to exploit and exfiltrate data from a wide range of organizations all at once, said Caitlin Condon, vice president of security research at security firm VulnCheck.

“The Oracle EBS attack seems to have followed that same pattern, with alleged Clop victims spanning global organizations across healthcare, manufacturing, financial and professional services, higher education, IT software and more,” she said.

“The threat actors have published dozens of victim names over the past month. It’s likely the group will continue releasing new victim names and leaking data as the year closes out. Downstream impact from large-scale extortion incidents like this often takes months or even years to measure comprehensively,” she said.

Orchestrated data theft attacks like Clop’s campaign targeting the Oracle EBS zero-day are often “smash and grab” affairs where the adversaries look to gain access to applications with sensitive data and then exfiltrate that data as quickly as possible, Condon said.

“That means organizations should look to block or alert on data and traffic leaving their environments, not just coming in – for example, organizations can restrict or block large file uploads or high-volume traffic to unknown IPs, access to cloud storage or backups, use of data transfer or file sharing software and so on,” she said.

Critical Lessons

The key lesson in this latest wave of attacks is that extortion no longer relies on ransomware encryption, Beek said. “Groups like Clop have shifted to stealing data from deeply embedded enterprise systems that are often overlooked in traditional defenses,” he said.

For healthcare and other sectors, this means treating financial and ERP platforms as high-risk assets by ensuring they are properly secured and monitored, he stressed. “The broader reality is that critical business systems have become the new frontline of cyberattacks, even as many defenders remain focused on endpoints and email,” he said.

“In moments like this, it’s important to remember that resilience isn’t built overnight, it’s engineered through awareness, anticipation and adaptability. These attacks also remind us that the perimeter is no longer a firewall but rather the sum of every interconnected system that keeps a business running.”

Prevention starts with visibility and “understanding your attack surface and who can reach it,” he said. “Detection means understanding behavior, not just chasing alerts. When a breach happens, act fast and transparently. Technical recovery is important, but rebuilding trust is what truly defines resilience in today’s world full of data-driven extortion attacks.”

Condon advises organizations to proactively work to reduce their external attack surface area and prioritize actively exploited vulnerabilities in software and systems that house or safeguard sensitive data. “File transfer applications and enterprise resource planning software in particular are common targets for financially motivated threat actors.”

While Clop doesn’t appear to have targeted a single sector in these latest incidents, healthcare organizations in general get hit hard and fast by financially motivated threat campaigns, Condon said.

“Threat actors tend to assume that healthcare organizations, which are highly regulated, are more likely to pay ransom demands in order to limit impact to patient trust and safety,” she said.

“Organizations in all sectors, and particularly healthcare orgs, must carefully consider what paying ransoms signals to threat groups, and how short-term negotiation with adversaries can reinforce behaviors that drive higher incident volume in the long term.”

Other NHS Incidents

The alleged Clop hack is just the latest cybersecurity incident affecting the U.K.’s national health system. A 2024 ransomware attack on Synnovis, a pathology partnership with the NHS, badly disrupted patient care services for months at some NHS London facilities (see: NHS Blood Supply Still Affected by June 2024 Vendor Attack).

Synnovis’ ability to perform a host of services, including blood testing, led to the cancellation or postponement of 10,152 acute outpatient appointments and 1,710 elective procedures at the most affected NHS trusts – London’s King’s College Hospital and Guy’s and St. Thomas hospitals.

The NHS in England in June also cited the Synnovis incident as a contributing factor to the death of a patient (see: Breach Roundup: UK NHS Links Patient Death to Ransomware Attack).

Meanwhile, Synnovis this week began notifying an undisclosed number of its clients that their patients’ information was potentially stolen in the attack, in which Russian-speaking ransomware group Qilin claimed responsibility (see: Synnovis Notifying UK Providers of Data Theft in 2024 Attack).

In December 2024, Russian-speaking ransomware group INC Ransom posted to its dark website stolen data from three NHS hospitals, including a children’s hospital and a heart and chest specialty hospital in Liverpool that share IT systems.

NHS operations also faced disruptions in August 2022 after a ransomware attack against third-party digital services vendor Advanced, a Birmingham-based technology developer of the Adastra system, which underpins NHS 111 and other healthcare services.

In fact, NHS’ ransomware woes date back to the 2017 WannaCry outbreak that led to widespread disruptions of healthcare services and criticism that the NHS could have avoided the breach by following basic IT security best practices.

“The NHS need to get their act together to ensure the NHS is better protected against future attacks,” warned the U.K. National Audit Office soon after the incident.