Extortion group FulcrumSec leaks initial samples from 1.3TB Novo Nordisk data breach following failed $25M ransom demand

Following a limited incident disclosure by Novo Nordisk on June 11, the cyber extortion group FulcrumSec has claimed responsibility for an extensive network intrusion resulting in the exfiltration of 1.3 TB of data (approximately 700,000 files). The group published initial samples on its dark web leak site after Novo Nordisk reportedly refused a $25 million extortion demand. Initial Access & Lateral Movement Vectors Threat intelligence updates indicate that FulcrumSec maintained an extensive dwell time of over two months inside the infrastructure, having gained initial entry back in March 2025. According to threat researchers and disclosure notes from the group, the entry vectors involved a combination of poor secret-management practices: Exposed Azure Credentials: Initial access was achieved via an Azure container registry credential that had been baked directly into a client-side JavaScript bundle. Compromised GitHub Tokens: The actors leveraged a plaintext GitHub personal access token discovered inside the environment, which granted them administrative privileges over hundreds of private source code repositories. Lateral Spidering: These initial repositories contained secondary API tokens, database credentials, and service account passwords, allowing the threat actors to spider horizontally across the internal infrastructure. Exfiltrated Asset Profile The data cache spans core intellectual property, research databases, and administrative networks. Samples posted online verify the compromise of: Proprietary AI Models: Roughly 494 GB of proprietary cell painting microscopy images, alongside 70 proprietary datasets and 30 trained machine learning models used in automated drug discovery. Clinical Trial Records: Pseudonymized trial records for approximately 11,500 research subjects across major historical programs (including the SELECT, FLOW, SOUL, and FOCUS trials). Exposed patient metadata includes alphanumeric subject IDs, sex, birth year, biomarkers, immunogenicity metrics, and specific lifestyle factors. Identifiable Provider PII: Non-pseudonymized directories containing names, registration numbers, active email addresses, WhatsApp numbers, and office locations for tens of thousands of healthcare professionals and physicians. Current Status & Collateral Threats A second threat actor, operating under the alias TheUSERS007, has separately claimed a concurrent or independent compromise of Novo Nordisk’s infrastructure, suggesting overlapping access windows or unpatched peripheral vulnerabilities. FulcrumSec has publicly stated that they are engaging in private negotiations to auction off the underlying drug compound formulations and AI operational weights to interested third parties rather than dumping the full PII datasets publicly, framing it as a strategic alternative to open-sourcing the data. Novo Nordisk has stated that its core operational infrastructure remains up and running under heightened monitoring while internal systems are brought back online via controlled recovery workflows. submitted by /u/technadu [link] [comments]Technical Information Security Content & DiscussionRead More