Incident Types: The types of cybersecurity incidents that have occurred include Vulnerability and Breach.

Detection and Response: The company detects and responds to cybersecurity incidents through an remediation measures with patching, and containment measures with avoid granting broad permissions to system-level groups (e.g., `system:authenticated`), containment measures with remove or restrict the `clusterrolebinding` associating `kueue-batch-user-role` with `system:authenticated`, and remediation measures with grant job creation permissions on a granular, as-needed basis, remediation measures with adhere to the principle of least privilege, and communication strategy with public advisory released by red hat, and and and containment measures with immediate isolation of gitlab instance, containment measures with termination of attacker access, and communication strategy with public blog post (2023-10-03), communication strategy with correction statement (2023-10-02), communication strategy with no further comments during investigation, and incident response plan activated with yes (red hat began notifying affected clients), and containment measures with urgent credential rotation, containment measures with security configuration reviews, and remediation measures with comprehensive remediation plans for affected customers, remediation measures with monitoring for traded copies of stolen data, and communication strategy with public disclosure, communication strategy with client notifications, communication strategy with ongoing updates via kevin beaumont (mastodon), and enhanced monitoring with recommended for all affected organizations, and incident response plan activated with belgian centre for cybersecurity (warning issued), incident response plan activated with individual organizations (forensic investigations ongoing), and remediation measures with security architecture rebuilds per organization, remediation measures with reestablishing integrity of custom configurations, and communication strategy with belgian centre for cybersecurity advisory, communication strategy with media coverage (e.g., the cipher brief)..

Common Attack Types: The most common types of attacks the company has faced is Breach.

Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Authenticated low-privilege account (e.g., data scientist with Jupyter notebook access), Self-Managed GitLab Community Edition Instance and compromised Red Hat consulting repositoriesstolen credentials/API keys from CERs.

Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Sensitive Data Stored In Openshift Ai Clusters, Potentially All Data Hosted On The Platform, , Source Code, Customer Engagement Reports (Cers), Authentication Keys, Database Uris, Infrastructure Configurations, , Customer Documentation, Source Code, Consultancy Reports, Private Certificates (.Pfx), Proprietary Code, Internal Assets, , Customer Engagement Reports (Cers), Network Architectures, Authentication Tokens, Api Keys, Infrastructure Configurations, Project Blueprints and .

Incident Response Plan: The company's incident response plan is described as Yes (Red Hat began notifying affected clients), Belgian Centre for Cybersecurity (warning issued), individual organizations (forensic investigations ongoing), .

Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Patching, , Grant job creation permissions on a granular, as-needed basis, Adhere to the principle of least privilege, , Comprehensive remediation plans for affected customers, Monitoring for traded copies of stolen data, , security architecture rebuilds per organization, reestablishing integrity of custom configurations, .

Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by avoid granting broad permissions to system-level groups (e.g., `system:authenticated`), remove or restrict the `clusterrolebinding` associating `kueue-batch-user-role` with `system:authenticated`, , immediate isolation of gitlab instance, termination of attacker access, , urgent credential rotation, security configuration reviews and .

Key Lessons Learned: The key lessons learned from past incidents are The necessity of continual vigilance in cybersecurity and the latent threats residing in long-standing systems.Extortion groups with minimal initial following can rapidly escalate threats.,LAPSUS$-linked actors continue to target high-value service providers (e.g., telecoms, consulting firms).,Private certificates and proprietary code are high-risk targets for extortion.,Proactive monitoring of dark web/darknet markets is critical post-breach.Supply chain attacks via consulting firms create unpatchable vulnerabilities due to custom implementations.,Political timing (e.g., government shutdowns) can be weaponized to maximize impact.,Extortion-as-a-service models enable broader ecosystem exploitation.,Nation-states may leverage criminal groups for deniable asymmetric warfare.,Defense industrial base remains vulnerable to precision-targeted intelligence collection.

Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Monitor for leaked data on dark web forums and marketplaces., Enhance employee training to mitigate insider threats and social engineering risks., Avoid paying ransoms to prevent incentivizing further attacks., Implement comprehensive incident response plans with third-party support., Review and harden security configurations across all systems., Strengthen internal controls, especially for consulting firms handling sensitive client data. and Rotate all certificates and credentials immediately..

Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Red Hat Security Advisory, and Source: Red Hat Blog PostDate Accessed: 2023-10-03, and Source: BleepingComputerDate Accessed: 2023-10-03, and Source: GitLab Security HandbookUrl: https://about.gitlab.com/security/hardening/Date Accessed: 2023-10-03, and Source: Telegram (Crimson Collective Leaks)Date Accessed: 2023-10-03, and Source: Brian Krebs (Security Researcher), and Source: Kevin Beaumont (Mastodon), and Source: GBHackers (GBH)Date Accessed: 2025-09-13, and Source: The Cipher Brief, and Source: Belgian Centre for Cybersecurity.

Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Public Advisory Released By Red Hat, Public Blog Post (2023-10-03), Correction Statement (2023-10-02), No Further Comments During Investigation, Public Disclosure, Client Notifications, Ongoing Updates Via Kevin Beaumont (Mastodon), Belgian Centre For Cybersecurity Advisory, Media Coverage (E.G. and The Cipher Brief).

Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Red Hat Customers Using Openshift Ai 2.19, 2.21, Or Rhoai, Restrict Permissions As Outlined In The Advisory, Review Access Controls For Data Scientists And Other Low-Privilege Roles, , No Evidence Other Red Hat Services/Products Affected, Confidence In Software Supply Chain Integrity, Potential Risk To Customer Infrastructure Via Exposed Keys/Uris In Cers, , Affected organizations advised to contact Red Hat Consulting support for list of stolen files and remediation guidance., Enterprises should assume all stolen data may become public; urgent action required for credential rotation and security reviews. and Belgian Centre For Cybersecurity (High-Risk Warning).

Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Recommended for all affected organizations.

Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Remove Broad `Clusterrolebinding` Associations, Implement Least-Privilege Access For Job Creation, , Overhaul Of Red Hat Consulting’S Security Measures For Client Data Protection., Implementation Of Adaptive Behavioral Waf And Network Segmentation (Recommended)., Enhanced Monitoring For Anomalous Access Patterns., .

Ransom Payment History: The company has Paid ransoms in the past.

Last Ransom Demanded: The amount of the last ransom demanded was ['Extortion Attempt (No Specific Amount Disclosed)'].

Last Attacking Group: The attacking group in the last incident were an Crimson Collective, Crimson Collective (linked to LAPSUS$ and Scattered Spider) and Crimson CollectiveShinyHunters (extortion-as-a-service partner).

Most Recent Incident Detected: The most recent incident detected was on 2023-10-02T17:30:00 CEST (approximate, based on correction issuance).

Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2025-10-01T00:01:00-04:00.

Most Significant Data Compromised: The most significant data compromised in an incident were Sensitive data hosted on the cluster, , Internal Project Data (28,000 projects, ~570 GB), Customer Engagement Reports (800 CERs, 2020–2025), Authentication Keys, Database URIs, Infrastructure Details, Configuration Data, , Customer Documentation, Source Code, Consultancy Engagement Reports (CERs), Private Certificates (.pfx), Proprietary Code, Internal Assets, , Customer Engagement Reports (CERs), network architectures, authentication tokens, API keys, infrastructure configurations, project blueprints (including defense systems) and .

Most Significant System Affected: The most significant system affected in an incident were Red Hat Enterprise Linux and its derivatives and Red Hat OpenShift AI clusters (versions 2.19, 2.21, RHOAI)Jupyter notebook environmentsUnderlying infrastructure and hosted applications and Self-Managed GitLab Community Edition Instance (Red Hat Consulting).

Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Avoid granting broad permissions to system-level groups (e.g., `system:authenticated`)Remove or restrict the `ClusterRoleBinding` associating `kueue-batch-user-role` with `system:authenticated`, Immediate Isolation of GitLab InstanceTermination of Attacker Access and Urgent credential rotationSecurity configuration reviews.

Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Customer Engagement Reports (800 CERs, 2020–2025), Configuration Data, Private Certificates (.pfx), Internal Project Data (28,000 projects, ~570 GB), network architectures, Internal Assets, project blueprints (including defense systems), Infrastructure Details, Consultancy Engagement Reports (CERs), Customer Documentation, Proprietary Code, Sensitive data hosted on the cluster, authentication tokens, infrastructure configurations, Customer Engagement Reports (CERs), Authentication Keys, API keys, Source Code and Database URIs.

Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 35.8M.

Highest Ransom Paid: The highest ransom paid in a ransomware incident was Discouraged (Red Hat advises against paying).

Most Significant Lesson Learned: The most significant lesson learned from past incidents was Defense industrial base remains vulnerable to precision-targeted intelligence collection.

Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Implement centralized oversight for consulting deliverables with sensitive data., Monitor dark web for stolen consulting data (e.g., CERs)., Enhance cross-agency coordination resilience during government disruptions., Apply the principle of least privilege for all permissions, especially job creation in OpenShift AI., Apply Security Patches Promptly, Assess defense contractor dependencies on third-party consulting firms., Develop playbooks for supply chain attacks during political/crisis windows., Update to patched versions of OpenShift AI once available., Rotate all certificates and credentials immediately., Monitor for leaked data on dark web forums and marketplaces., Enhance employee training to mitigate insider threats and social engineering risks., Harden Access Controls (GitLab Handbook Guidelines), Update Self-Managed GitLab Instances to Latest Version (GitLab Advisory), Audit and restrict `ClusterRoleBinding` associations to prevent over-permissive access., Avoid Storing Credentials/Keys in Repositories, Review and harden security configurations across all systems., Immediate patching to mitigate risks, Avoid paying ransoms to prevent incentivizing further attacks., Monitor for Downstream Attacks Leveraging Stolen Data, Monitor for unauthorized privilege escalation attempts in AI/ML platforms., Implement comprehensive incident response plans with third-party support., Strengthen internal controls and especially for consulting firms handling sensitive client data..

Most Recent Source: The most recent source of information about an incident are Red Hat Security Advisory, Kevin Beaumont (Mastodon), GBHackers (GBH), GitLab Security Handbook, Red Hat Blog Post, The Cipher Brief, Brian Krebs (Security Researcher), Telegram (Crimson Collective Leaks), BleepingComputer and Belgian Centre for Cybersecurity.

Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://about.gitlab.com/security/hardening/ .

Current Status of Most Recent Investigation: The current status of the most recent investigation is Disclosed; mitigations provided, no patch yet.

Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was Red Hat customers using OpenShift AI 2.19, 2.21, or RHOAI, No Evidence Other Red Hat Services/Products Affected, Confidence in Software Supply Chain Integrity, Affected organizations advised to contact Red Hat Consulting support for list of stolen files and remediation guidance., Belgian Centre for Cybersecurity (high-risk warning), .

Most Recent Customer Advisory: The most recent customer advisory issued were an Restrict permissions as outlined in the advisoryReview access controls for data scientists and other low-privilege roles, Potential Risk to Customer Infrastructure via Exposed Keys/URIs in CERs and Enterprises should assume all stolen data may become public; urgent action required for credential rotation and security reviews.

Most Recent Entry Point: The most recent entry point used by an initial access broker were an Self-Managed GitLab Community Edition Instance, Authenticated low-privilege account (e.g. and data scientist with Jupyter notebook access).

Most Recent Reconnaissance Period: The most recent reconnaissance period for an incident was Approximately 2 Weeks (Prior to Detection), breach occurred mid-September 2025Telegram channel established September 24, 2025.

Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Over-permissive `ClusterRoleBinding` for `system:authenticated` groupLack of granular permission controls for job creation, Potential insider threat or social engineering (linked to LAPSUS$ tactics)Inadequate security controls for high-value consulting assetsLack of proactive dark web monitoring for early threat detection, Over-reliance on third-party consulting firms with broad access.Lack of centralized patching for custom implementations.Political vulnerability exploitation (government shutdown timing).Extortion-as-a-service collaboration (Crimson Collective + ShinyHunters)..

Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Remove broad `ClusterRoleBinding` associationsImplement least-privilege access for job creation, Overhaul of Red Hat Consulting’s security measures for client data protection.Implementation of adaptive behavioral WAF and network segmentation (recommended).Enhanced monitoring for anomalous access patterns..