Pierluigi Paganini
October 14, 2025
Harvard University confirmed it was targeted in the Oracle E-Business Suite campaign after the Cl0p ransomware group listed it on its leak site. The cybercrime group claimed to have leaked 1.3 TB of data allegedly stolen from Harvard University. The institute attempted to downplay the incident, explaining that the security breach appears to be limited to a small administrative unit.
Recently, the Clop Ransomware group announced the hack of the prestigious Harvard University. The cybercrime group created a page for the university on its Tor data leak site and announced the leak of the stolen data soon.
“PAGE CREATED, DATA ARCHIVING IS IN PROGRESS… A TORRENT LINK WILL BE AVAILABLE SOON … !!!” reads the announcement on its leak site.
“The company doesn’t care about its customers, it ignored their security!!!”
Harvard University revealed it was targeted in the Oracle EBS campaign; attackers exploited a recently patched vulnerability. The university states that there is no evidence of other systems compromised. Google TIG group and Mandiant report dozens of organizations were targeted, with stolen data including financial, HR, customer, supplier, and inventory information, varying in sensitivity by victim.
Google Threat Intelligence and Mandiant analyzed the Oracle E-Business Suite extortion campaign, revealing the use of malware. Attackers exploited July-patched EBS flaws and likely a zero-day (CVE-2025-61882), sending extortion emails to company executives.
In early October, Google Mandiant and Google Threat Intelligence Group (GTIG) researchers tracked a suspected Cl0p ransomware group’s activity, where threat actors were attempting to extort executives with claims of stealing Oracle E-Business Suite data.
Attackers likely hacked user emails and exploited Oracle E-Business Suite’s default password reset to steal valid credentials, reported cybersecurity firm Halycon.
An email in the extortion notes ties to a Cl0p affiliate and includes Cl0p site contacts, but Google lacks the proof to confirm the attackers’ claims.
Mandiant’s CTO Charles Carmakal said attackers use hundreds of hacked accounts in a mass extortion campaign. At least one account links to the financially motivated hacker group FIN11.
Oracle released an emergency patch to address a critical vulnerability, tracked as CVE-2025-61882 (CVSS 9.8) in its E-Business Suite. The flaw was exploited by the Cl0p ransomware group in data theft attacks. Unauthenticated remote attackers can exploit the flaw to take control of the Oracle Concurrent Processing component.
CVE-2025-61882 affects Oracle E-Business Suite 12.2.3–12.2.14 (BI Publisher Integration), experts warn it is easily exploitable via HTTP.
CrowdStrike researchers attributed with moderate confidence the exploitation of Oracle E-Business Suite flaw CVE-2025-61882 (CVSS 9.8) to the Cl0p group, also known as Graceful Spider.
Clop (aka Cl0p) is a prolific Russian-speaking ransomware-as-a-service group specializing in big-game hunting and double extortion.
The Clop ransomware group first appeared on the threat landscape around February 2019, emerging from the TA505 cybercrime group, a financially motivated gang active since at least 2014.
Like other Russia-based threat actors, Clop avoids targets in former Soviet countries and its malware can’t be activated on a computer that operates primarily in Russian.
Operators and affiliates identify high-value targets, steal sensitive data, encrypt networks, then publish stolen files on data-leak sites to pressure victims into paying. Clop exploits zero-days and vulnerable third-party software (e.g., MOVEit, GoAnywhere, Oracle EBS), leverages initial-access brokers and automation, and uses sophisticated evasion and lateral-movement techniques to maximize impact and monetization.
Clop’s victims include Shell, British Airways, Bombardier, University of Colorado, PwC, and the BBC.
The group conducted major campaigns including:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Harvard University)
