Hacked Australian Super Funds appear to be Oracle Cloud customers.
An industry-spanning coordinated cyber attack resulting in theft of hundreds of thousands of dollars was launched today. We suspect many of the funds was listed in the Oracle Cloud breach data set.
Aussie news outlets today have reported a sophisticated, coordinated cyber attack on a number of superannuation providers.
This major event comes just days after large-scale breaches of Oracle Cloud infrastructure involving hundreds of thousands of customers.
Who’s impacted?
The superannuation funds currently published as affected:
Australian Retirement Trust
Australian Super
REST Super
Hostplus
Insignia
Oracle Cloud Breach(es)
The Oracle Cloud breach was initially documented & published by CloudSEK who had downloaded and analysed the redacted data published by the original attacker - rose87168.
CloudSEK have kindly provided the public with a tool to check if a given domain name appears in the original dataset published by the threat actor.
https://exposure.cloudsek.com/oracle
Stitching it all together
Let’s do a quick dig into the affected Aussie Super funds to see if their member login portal domains are listed in the original Oracle list.
The exposure checking tool from CloudSEK only gives us the TLD (Top Level Domain), so if we search for domain1.domain2.com we will only be checking domain2.com, which confirms that at least the TLD is explicitly present in the dataset.
Australian Retirement Trust
Domain: member.secure.australianretirementtrust.com.au
Present in 2025 Oracle attack List: YES
Australian Super
Domain: australiansuper.com
Present in 2025 Oracle attack List: YES
REST Super
Domain: member.aas.com.au
Present in 2025 Oracle attack List: YES
Hostplus
(Is Owned by WestPac utilising the services from qvalent.com)
Domain: qvalent.com
Present in 2025 Oracle attack List: YES
Insignia (Owner of MLC Super)
Domain: login.mlc.com.au
Present in 2025 Oracle attack List: YES
What does it all mean?
Given that many, if not all currently affected super providers are also present in the Oracle breach data, could we infer that the information exfiltrated from Oracle has been sold and is now being used to attack independent commercial entities utilising Oracle Cloud services?
I wouldn’t want to draw this conclusion lightly. I think more research and evidence would be required. But a cursory glance may suggest that the Oracle data has potentially given way to further attacks from possibly new threat actors.