'Everest Group' Extorts Global Orgs via SAP's HR Tool - Dark Reading

TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources CYBERATTACKS & DATA BREACHES THREAT INTELLIGENCE СLOUD SECURITY CYBER RISK NEWS Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific 'Everest Group' Extorts Global Orgs via SAP's HR Tool In addition to Coca-Cola, entities in Abu Dhabi, Jordan, Namibia, South Africa, and Switzerland are experiencing extortion attacks, all involving stolen SAP SuccessFactor data. Nate Nelson,Contributing Writer May 30, 2025 4 Min Read SOURCE: MAURITIUS IMAGES GMBH VIA ALAMY STOCK PHOTO Extortionist-cum-information broker "Everest Group" has pulled off a swath of attacks against large organizations in the Middle East, Africa, Europe, and North America, and is now extorting victims over records stolen from their human resources departments. This May, the long-overlooked threat actor advertised nine new cyberattacks. Victims ranged from healthcare organizations to construction and facilities management companies. But its biggest win came against Coca-Cola, from which it stole records associated with hundreds of employees, including their personally identifying information (PII) like names and addresses, salary records, and scans of passports and visas. In each of these leaks, researchers from VenariX found files relating to SAP SuccessFactors, SAP's cloud-based HR management platform. The researchers believe the attacks to be legitimate and estimate that initial access in each case likely occurred through a third-party SAP service provider called "INK IT Solutions." Related:Chinese APT Targets Indian Banks, Korean Policy Circles Everest's String of Success Besides Coca-Cola, Everest's most notable May victims have been the Mediclinic Group — a multibillion-dollar hospital group managing locations in Namibia, South Africa, Switzerland, and the United Arab Emirates (UAE) — and the Department of Tourism and Culture in Abu Dhabi (DCTA). It has also struck smaller outfits, like the Brooklyn-based medical imaging company PDI Health and a small bank based in Jordan called Jordan Kuwait Bank. In each case, Everest Group has highlighted stolen data pertaining to company employees. With DCTA, for instance, it claims to be in possession of 12GB of "internal company data, most notably around 1,500 records with sensitive information about employees: passports and visas, birth and marriage certificates, university diplomas, and more. Identity cards, employee usernames, email addresses, protected health information (PHI), and other confidential business data might also have been compromised. DCTA's website was briefly down following the initial incident. Everest Group has posted a countdown clock on its leak site, set to expire June 1 if DCTA doesn't comply with its demands. Data featured in the leaks suggests that these attacks are correlated with SAP SuccessFactors. Found among DCTA's trove: a SuccessFactors employee profile, a listing of other SuccessFactor profiles that seem to belong to current or former DCTA employees, and payroll details that also appear to have come from a SuccessFactors profile. Data stolen from the construction company Kaefer includes a CSV export of SuccessFactors' user directory. Coca-Cola's leak data includes 959 SuccessFactors employee profiles in PDF format. Related:6-Year Ransomware Campaign Targets Turkish Homes & SMBs The connecting thread appears to go deeper still. In one form or another, VenariX connected at least five of the victimized companies with INK IT Solutions, a SAP integrator based in Melbourne, Australia. Dark Reading has reached out to SAP and INK IT Solutions to confirm what they know of the attacks. This story will be updated should either company provide comment. The Elusive Everest Group The Everest Group was first spotted in December 2020, but it's never attracted so much attention. One reason for this may be its slow but steady rate of attack. Venarix has attributed 148 known cyber incidents to the group, averaging only a few per month since its inception. The attacks appear to be opportunistic, affecting organizations of a variety of sizes across multiple geographic locations and industries. Its most notable targets have been AT&T, a US District Court in Illinois, the government of the State of Rio Grande do Sul in Brazil, and Collins Aerospace, a partner to NASA. Another reason Everest may be escaping attention is because it's hard to pin down. Case in point: While the DCTA and Coca-Cola incidents were extortion attacks, Illinois, Brazil, and Collins Aerospace were all instances in which Everest Group sold its initial access to other threat actors on the Dark Web. Related:Fraud Rockets Higher in Mobile-First Latin America "They are kind of weird in a way, because they started off selling data, and then they moved on to ransomware, and then they moved on to selling initial access, and now they're back selling compromised data," notes one Searchlight Cyber analyst who chose to be anonymous for this story. "I don't know of any other example of a hacking group that's gone on a continuous transition between different modus operandi," he adds. "It might be the case that they had affiliates who joined the group, did what they knew best, and then they left the group. So they were left with other affiliates who knew a different thing, and they worked with the skill sets that they then had within the team," he guesses. All of this shape-shifting also helps to explain why the group's tactics, techniques, and procedures (TTPs) have been elusive. "If they were stagnant in terms of what tactics they used, maybe it was easier to research them over time. But because they're changing so often, I can't really pinpoint a certain tool they're consistently using or a certain attack method they're always applying." Don't miss the latest Dark Reading Confidential podcast, The Day I Found an APT Group in the Most Unlikely Place, where threat hunters Ismael Valenzuela and Vitor Ventura share stories about the tricks they used to track down advanced persistent threats and the surprises they discovered along the way. Listen now! Read more about: DR Global Middle East & Africa About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports CISO Survey 2026: The State of Incident Response Readiness AI SOC for MDR: The Structural Evolution of Managed Detection and Response How Enterprises Are Developing Secure Applications KuppingerCole Business Application Risk Management Leadership Compass 2026 CISO AI Risk Report Access More Research Webinars Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Tips for Managing Cloud Security in a Hybrid Environment? Zero Trust Architecture for Cloud environments: Implementation Roadmap Security in the AI Age Identity Maturity Under Pressure: 2026 Findings and How to Catch Up More Webinars You May Also Like CYBERATTACKS & DATA BREACHES Critical Fortinet Flaws Under Active Attack by Jai Vijayan, Contributing Writer DEC 17, 2025 CYBERSECURITY ANALYTICS In Cybersecurity, Claude Leaves Other LLMs in the Dust by Nate Nelson, Contributing Writer DEC 17, 2025 APPLICATION SECURITY Self-Replicating 'Shai-hulud' Worm Targets NPM Packages by Alexander Culafi SEP 16, 2025 CYBERSECURITY OPERATIONS Women Who 'Hacked the Status Quo' Aim to Inspire Security Careers by Elizabeth Montalbano, Contributing Writer JUL 16, 2025 Editor's Choice VULNERABILITIES & THREATS EDR-Killer Ecosystem Expansion Requires Stronger BYOVD Defenses byRob Wright APR 14, 2026 8 MIN READ СLOUD SECURITY CSA: CISOs Should Prepare for Post-Mythos Exploit Storm byAlexander Culafi APR 13, 2026 6 MIN READ СLOUD SECURITY Navigating the Unique Security Risks of Asia's Digital Supply Chain byAlexander Culafi APR 15, 2026 3 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning MON, MAY 11, 2026 AT 1:00PM ET Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST Security in the AI Age TUES, APRIL 28, 2026 AT 1PM EST Identity Maturity Under Pressure: 2026 Findings and How to Catch Up WED, MAY 6,2026 AT 1PM EST More Webinars White Papers How Sunrun Transformed Security Operations with AiStrike Autonomous Pentesting at Machine Speed, Without False Positives Best practices for incident response planning Building a Robust SOC in a Post-AI World Industry Report: AI, SOC, and Modernizing Cybersecurity Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE Discover More Black Hat Omdia Working With Us About Us Advertise Reprints Join Us NEWSLETTER SIGN-UP Follow Us Copyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466. Home| Cookie Policy| Privacy| Terms of Use Your Privacy Choices