@IntCyberDigest: ‼️🚨 Red Hat breached: Crimson ...

@IntCyberDigest
16 views Oct 01, 2025
1
‼️🚨 Red Hat breached: Crimson Collective stole 28k private repositories, including credentials, CI/CD secrets, pipeline configs, VPN profiles, and infrastructure blueprints.

Our analysis of obtained data: 👇
Media image
2
The file tree includes thousands of repositories referencing major banks, telecoms, airlines, and public-sector organizations, such as Citi, Verizon, Siemens, Bosch, JPMC, HSBC, Merrick Bank, Telstra, Telefonica, and even mentions the U.S. Senate...
3
What's in the file tree dump?

Inventories, hosts, Ansible playbooks, OpenShift install blueprints, CI/CD runners, VPN profiles, Quay/registry configs, Vault integrations, backups, and exported GitHub/GitLab configs.
4
The threat actor attempted to contact RedHat, and the reply is concerning...
Media image
5
Multiple staff were added to the ticket, visible to the threat actor, indicating an OpSec failure.
Media image
6
The threat actor told us that Red Hat is ignoring them and no longer responding to communication attempts.
7
Some example files:
Media image
Media image
Media image
8
Some of the customers being mentioned in the file tree:

| Company | X Handle |
|---------|----------|
| 3M | @3M |
| Accenture | @Accenture |
| Adeo | No official X handle found |
| Adobe | @Adobe |
| ADP | @ADP |
| Alaska Airlines | @AlaskaAir |
| Ally | @Ally |
| Amadeus | @AmadeusITGroup |
| Amdocs | @Amdocs |
| American Express | @AmericanExpress |
| Arch Insurance | @ArchInsInt |
| Avangrid | @Avangrid |
9
| AXA | @AXA |
| Bank of America | @BankofAmerica |
| BBVA | @bbva |
| BNP Paribas | @BNPParibas |
| BNSF Railway | @BNSFRailway |
| Boeing | @Boeing |
| Bosch | @BoschGlobal |
| Capgemini | @Capgemini |
| Cisco | @Cisco |
| Citi | @Citi |
| Cummins | @Cummins |
| Deloitte | @Deloitte |
| Delta Air Lines | @Delta |
| DHL | @DHLGlobal |
10
| Ericsson | @ericsson |
| Experian | @Experian |
| Federal Aviation Administration (FAA) | @FAANews |
| Federal Emergency Management Agency (FEMA) | @fema |
| Finanz Informatik | @FI_FFM |
| Finastra | @FinastraFS |
| Garanti BBVA | @GarantiBBVA |
| HSBC | @HSBC |
| IBM | @IBM |
| IHG Hotels & Resorts | @IHGhotels |
| IKEA | @IKEA |
| Inditex | @Inditex |
| Injazat | @injazat |
| Isabel Group | No official X handle found |
| JPMorgan Chase | @jpmorgan |
| Karolinska University Hospital | @karolinskainst |
| Leidos | @LeidosInc |
| Lloyds Banking Group | @LBGplc |
| Marriott International | @MarriottIntl |
| Mavenir | @Mavenir |
| Merrick Bank | @merrickbank |
11
|Migros | @migros |
| Mizuho | No official X handle found |
| National Australia Bank | @nab |
| National Institute of Standards and Technology (NIST) | @NIST |
| National Security Agency (NSA) | @NSAGov |
| Nestlé | @Nestle |
| Nokia | @nokia |
| NSW Police | @nswpolice |
| NTT Docomo | @docomo |
| O2 | @O2 |
| Orange | @orange |
| PGE | @PGE4Me |
| Pirelli | @Pirelli |
| PLDT | @pldt |
| Proximus | @proximus |
| QBE Insurance Group | @qbe |
| Safran | @SAFRAN |
| Santander | @bancosantander |
| Saudi Aramco | @aramco |
| Siemens | @Siemens |
| Sony | @Sony |
| Special Tribunal for Lebanon | @STLebanon |
| StarHub | @StarHub |
| stc | @stc |
| Sumitomo | @SumitomoCorpor1 |
| SWIFT | @SWIFTcommunity |
| Swissgrid | @swissgridag |
| T-Mobile | @TMobile |
| Takeda | @TakedaPharma |
| Telefónica | @Telefonica |
| Telenor | @TelenorGroup |
| Telkom | @TelkomZA |
| Telstra | @Telstra |
| Türkiye İş Bankası | @isbankasi |
| U.S. Cellular | @UScellular |
| U.S. Citizenship and Immigration Services (USCIS) | @USCIS |
| U.S. Customs and Border Protection (CBP) | @CBP |
| U.S. Department of Agriculture (USDA) | @USDA |
| U.S. Department of Energy — Idaho National Laboratory (INL) | @INL |
| U.S. Department of Homeland Security (DHS) | @DHSgov |
| UBS | @UBS |
| United Airlines | @united |
| United States Air Force (Air Mobility Command) | @AirMobilityCmd |
| United States Air Force (USAF) | @usairforce |
| United States Patent and Trademark Office (USPTO) | @uspto |
| United States Senate (Sergeant at Arms) | @SenateSAA |
| UPS | @UPS |
| Verizon | @Verizon |
| Vodafone | @VodafoneGroup
12
This appears to be a significant breach based on the information obtained. Without access to the full archive, we cannot determine the full scope of the alleged breach. We have contacted Red Hat for comment.
Actions
Visual Editor Carousel Maker NEW
Update Thread
What You Can Do
  • Download as PDF
  • Save to Notion
  • Export as Markdown
  • Visual Editor
  • LinkedIn & Instagram Carousel Maker
Create Free Account

Includes 7-day Premium trial