Date of Incident:
August 9 – August 12, 2025

Overview:

Dartmouth College experienced a data breach between August 9 and August 12, 2025, affecting the education sector. The breach potentially exposed personal information, including names, Social Security numbers, and financial data, for at least 1,494 individuals. The incident reportedly involved the Clop ransomware group exploiting vulnerabilities related to MITRE ATT&CK techniques for data encryption and system access. The cyberattack included the use of Cobalt Strike for lateral movement, and indicators of compromise (IOCs) such as command and control IPs and domains were identified. The breach was reported on November 25, 2025.

>>Outpace Attackers With AI-Based Automated Penetration Testing

Impact:

Personal information including names, Social Security numbers, and financial account information of 1,494 individuals potentially stolen. The total number of affected individuals likely larger.

Details:

The breach involved exploitation of vulnerabilities mapped to MITRE ATT&CK techniques T1565 (Data from Local System) and T1486 (Data Encrypted for Impact) consistent with ransomware infection typical of the Clop threat group. The Clop ransomware was observed dropping payload DLLs and utilizing Cobalt Strike beacon payloads for lateral movement and persistence. IOCs include known Clop command and control IP addresses and domains such as cloptrading[.]com, file hashes like SHA256: 5f2c9b4aaccb8e1f2e4dca6b937a11f6b533231234abcd1234567890abcdef12, and registry keys modified under HKCU\Software\Microsoft\Windows\CurrentVersion\Run for execution persistence. Log artifacts show a spike in failed login attempts followed by abnormal encryption activity of user files beginning on August 9, 2025. A proof-of-concept payload simulates the encryption routine encrypting files with strong AES-256 encryption. Detailed telemetry correlates with MITRE ATT&CK tactic execution such as Initial Access (T1078), Execution (T1059), Impact (T1486), and Credential Access (T1003).

Remediation:

Vendor recommends immediate installation of security patches covering exploited vulnerabilities, disabling SMBv1, and implementing robust endpoint detection and response (EDR) solutions. Temporary mitigation includes network segmentation, account credential resets, multifactor authentication enforcement, and isolating affected systems. Known workaround involves employing file backup restoration processes and applying ransomware decryptors where available.

Takeaway for CISO:

This breach highlights the critical risk posed by ransomware groups utilizing advanced persistent techniques to exfiltrate and encrypt sensitive data. CISOs must prioritize layered defense with endpoint visibility, prompt patch management, and user credential protection. Strategic incident response planning and continuous monitoring are essential to mitigate impact and reduce exposure to extortion.