Harvard University was targeted in a cyberattack by the Cl0p (Clop) ransomware group, which exploited a zero-day vulnerability (CVE-2025-61882, CVSS 9.8) in Oracle E-Business Suite (EBS). The attackers leaked 1.3 TB of stolen data, including financial, HR, customer, supplier, and inventory information, though Harvard claimed the breach was limited to a small administrative unit. The Cl0p group, known for double extortion (data theft + ransom demands), published the stolen data on its Tor leak site and threatened further exposure. The attack leveraged hacked email accounts and default password resets in Oracle EBS to gain unauthorized access. While Harvard downplayed the incident, the scale of data exfiltration affecting employees, students, and operational records suggests severe reputational, financial, and operational risks. The Cl0p group, linked to FIN11 and Russian cybercrime syndicate TA505, has a history of high-profile attacks, including MOVEit, GoAnywhere, and Accellion FTA breaches.
TPRM report: https://www.rankiteo.com/company/harvardcid
"id": "har2592125101425",
"linkid": "harvardcid",
"type": "Ransomware",
"date": "6/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'Higher Education',
'location': 'Cambridge, Massachusetts, USA',
'name': 'Harvard University',
'size': 'Large (~20,000 students, ~16,000 staff)',
'type': 'Educational Institution'}],
'attack_vector': ['Exploitation of Vulnerability (CVE-2025-61882)',
'Credential Theft via Default Password Reset',
'Mass Extortion Campaign'],
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': 'Likely (if '
'HR/customer data '
'included)',
'sensitivity_of_data': 'Varies by victim (high for '
'HR/financial)',
'type_of_data_compromised': ['Financial',
'HR',
'Customer',
'Supplier',
'Inventory']},
'date_detected': '2025-10-01',
'date_publicly_disclosed': '2025-10-14',
'description': 'Harvard University confirmed being targeted in the Oracle '
'E-Business Suite (EBS) campaign by the Cl0p ransomware group, '
'which leaked 1.3 TB of allegedly stolen data. The breach was '
'limited to a small administrative unit, with attackers '
'exploiting a recently patched zero-day vulnerability '
'(CVE-2025-61882) in Oracle EBS. The Cl0p group, known for '
'double extortion tactics, published the data on its leak site '
'and demanded ransom. The incident is part of a broader '
'extortion campaign targeting dozens of organizations, with '
'stolen data including financial, HR, customer, supplier, and '
'inventory information.',
'impact': {'brand_reputation_impact': 'Moderate (public disclosure of breach '
'by prestigious institution)',
'data_compromised': '1.3 TB',
'identity_theft_risk': 'Potential (depends on compromised data '
'types)',
'operational_impact': 'Limited (confined to administrative unit)',
'payment_information_risk': 'Potential (if financial/HR data '
'included)',
'systems_affected': ['Oracle E-Business Suite (limited to a small '
'administrative unit)']},
'initial_access_broker': {'entry_point': ['Oracle EBS vulnerability '
'(CVE-2025-61882)',
'Hacked user emails',
'Default password reset '
'exploitation'],
'high_value_targets': ['Administrative units',
'Executives (for extortion '
'emails)']},
'investigation_status': 'Ongoing (as of 2025-10-14)',
'motivation': 'Financial Gain (Extortion)',
'post_incident_analysis': {'root_causes': ['Unpatched Oracle EBS '
'vulnerability (CVE-2025-61882)',
'Weak credential management '
'(default password reset '
'exploitation)',
'Lack of segmentation for '
'administrative systems']},
'ransomware': {'data_exfiltration': True, 'ransomware_strain': 'Cl0p'},
'recommendations': ['Patch management for third-party software (e.g., Oracle '
'EBS)',
'Monitoring for credential theft via default password '
'resets',
'Segmentation of high-value administrative systems',
'Proactive threat hunting for Cl0p/TA505 indicators',
'Employee training on extortion email phishing'],
'references': [{'date_accessed': '2025-10-14',
'source': 'SecurityAffairs',
'url': 'https://securityaffairs.co/wordpress/153422/cyber-crime/harvard-university-oracle-ebs-hack.html'},
{'date_accessed': '2025-10',
'source': 'Google Threat Intelligence Group (GTIG) & '
'Mandiant'},
{'date_accessed': '2025-10', 'source': 'CrowdStrike'},
{'date_accessed': '2025-07',
'source': 'Oracle Security Advisory (CVE-2025-61882)'}],
'response': {'communication_strategy': ['Public confirmation of breach',
'Downplaying scope (limited to '
'administrative unit)'],
'containment_measures': ['Isolation of affected Oracle EBS unit',
'Patch application (CVE-2025-61882)'],
'incident_response_plan_activated': True,
'third_party_assistance': ['Google Threat Intelligence Group '
'(GTIG)',
'Mandiant',
'CrowdStrike']},
'threat_actor': {'active_since': '2019 (emerged from TA505, active since '
'2014)',
'aliases': ['Clop', 'TA505'],
'associated_campaigns': [{'description': 'Exploited SQL '
'injection zero-day '
'(CVE-2023-34362), '
'impacting hundreds '
'of global '
'companies.',
'name': 'MOVEit Transfer (2023)'},
{'description': 'Exploited zero-day '
'in file-transfer '
'appliance, '
'stealing data from '
'~100 '
'organizations.',
'name': 'Accellion FTA '
'(2020–2021)'},
{'description': 'Targeted flaw '
'(CVE-2023-0669), '
'compromising over '
'130 organizations.',
'name': 'GoAnywhere MFT (2023)'}],
'avoidance': ['Targets in former Soviet countries',
'Systems with Russian as primary language'],
'motivation': 'Financial Gain',
'name': 'Cl0p Ransomware Group (aka Graceful Spider)',
'notable_victims': ['Shell',
'British Airways',
'Bombardier',
'University of Colorado',
'PwC',
'BBC'],
'origin': 'Russian-speaking',
'tactics': ['Big-Game Hunting',
'Double Extortion',
'Zero-Day Exploitation',
'Initial-Access Broker Collaboration',
'Automation',
'Lateral Movement']},
'title': 'Harvard University Oracle EBS Cyberattack by Cl0p Ransomware Group',
'type': ['Data Breach', 'Ransomware Attack', 'Extortion'],
'vulnerability_exploited': {'cve_id': 'CVE-2025-61882',
'cvss_score': 9.8,
'description': 'Critical vulnerability in Oracle '
'E-Business Suite (12.2.3–12.2.14) '
'allowing unauthenticated remote '
'attackers to take control of the '
'Oracle Concurrent Processing '
'component via HTTP.',
'patch_status': 'Emergency patch released (July '
'2025)'}}