New alliance threatens to publish all stolen data unless ransom negotiations commence
The fallout from Red Hat’s recent cybersecurity breach has intensified as the notorious ShinyHunters gang joins forces with the Crimson Collective to escalate extortion efforts against the enterprise software giant.
The alliance, which also involves a group calling itself Scattered Lapsus$ Hunters, has begun publishing samples of stolen Red Hat customer data, including sensitive Customer Engagement Reports (CERs), on a new data leak site.
The breach, first disclosed last week, allegedly involves nearly 570GB of compressed data exfiltrated from Red Hat’s internal systems.
According to Crimson Collective, the stolen data spans 28,000 internal development repositories, including about 800 Customer Engagement Reports (CERs) – documents that often contain detailed information about clients’ infrastructure, authentication systems, and network configurations.
Red Hat last week acknowledged the breach but sought to limit concerns, explaining that the incident was confined to a GitLab environment used by Red Hat Consulting and not its public GitHub repositories or core product systems.
The company said there is no evidence that its product build systems or hosted services were affected.
Despite that reassurance, cybersecurity analysts warn the leak could pose a serious downstream risk to Red Hat clients if the exposed CERs prove genuine.
An extortion alliance emerges
In a statement posted to its Telegram channel, Crimson Collective announced it has now joined forces with Scattered Lapsus$ Hunters and ShinyHunters.
“On the 4th April 1949 was created the so big called NATO, but what if today’s new alliance was bigger than that? But for a greater purpose, ruining corporations mind,” the message reads.
“What if, Crimson’s shininess extends even further away?”
The groups declared that their new coalition will coordinate future attacks and data releases through ShinyHunters’ newly launched data leak and extortion platform.
Shortly after the announcement, Red Hat appeared as a new entry on the ShinyHunters site, with a threat that all stolen data would be published on 10 October unless ransom negotiations commence.
Samples released on the site purportedly include CERs belonging to high-profile clients such as Walmart, HSBC, the Bank of Canada, Atos Group, American Express, the US Department of Defense, and Société Française du Radiotéléphone (SFR).
A post accompanying the leak accused Red Hat of failing to safeguard trade secrets and personal data, invoking potential violations of the General Data Protection Regulation (GDPR) and US state privacy laws.
“These CERs clearly contain and include confidential business/company data (credentials, env vars, architecture, code, internal designs, things that would grant an unauthorised party access to your network), and Red Hat failed to adequately protect them, you failed to preserve the secrecy of these trade secrets, as it was your utmost responsibility,” Scattered Lapsus$ Hunters wrote on its site.
ShinyHunters expands extortion business
Known for previous high-profile breaches involving Microsoft, AT&T, and Tokopedia, ShinyHunters has reportedly operated for years as an “Extortion-as-a-Service” (EaaS) group.
A ShinyHunters representative told BleepingComputer that they typically receive 25-30% of extortion payments, with partner groups retaining the majority.
The launch of the new leak portal indicates the group is now formalising its extortion network and openly hosting campaigns for affiliated hackers.
Whether Red Hat will choose to negotiate, pay the ransom, or confront the attackers remains uncertain.
For now, Red Hat continues to investigate the breach, monitor for further data exposure, and reassure its clients that it is taking comprehensive steps to mitigate risk.