November 2025 became a defining moment for the global cybersecurity landscape. A cascade of cyberattacks — spanning elite universities, major city councils, corporate giants, critical public infrastructure, and leading crypto exchanges — revealed just how vulnerable even the most fortified institutions remain. From low-tech phone scams to highly coordinated zero-day exploits, attackers demonstrated alarming sophistication and audacity. The breadth of these incidents offers a stark warning to every organisation navigating the digital age: cyber threats in 2025 are systemic, interconnected, and evolving faster than many defences can keep up.
Academia in the Crosshairs: Education Sector Breaches Surge in November 2025
Even elite universities proved vulnerable this month. Harvard University disclosed that an “unauthorized party” accessed its Alumni Affairs and Development Office systems after a phone-based phishing ruse duped a staff member. Attackers potentially obtained donor contact details, event attendance records, and other sensitive alumni information – a trove thankfully not including Social Security numbers or financial accounts.
The Harvard breach echoed a troubling pattern: it followed similar attacks on donor databases at Princeton University earlier in November and the University of Pennsylvania in October. In those cases, hackers also tricked staff via phone calls, then rifled through alumni and donor records – even emailing “We got hacked” notices to thousands at Penn while threatening to leak 1.2 million records. The motives appeared part financial, part ideological; at Penn, the intruders dumped internal memos and ranted about “legacies, donors and unqualified affirmative action admits” in expletive-laced emails.
Not all campus breaches relied on social engineering. Dartmouth College revealed that an aggressive zero-day attack on its Oracle financial software exposed names, Social Security numbers, and bank details of nearly 1,500 people. The Clop ransomware gang claimed responsibility after siphoning off 1.8 terabytes of Dartmouth’s data. That same Oracle E-Business Suite vulnerability was a common thread across many November attacks, demonstrating how a single software flaw can open countless doors. For academia, the lessons were decisive: phishing remains the weakest link, and supply-chain vulnerabilities can bypass even well-maintained internal systems. These incidents underscore why educational institutions — rich in sensitive data but often stretched thin on cybersecurity resources — continue to be prime targets.
Government Services Disrupted: Public Sector Cyberattacks Expose Systemic Weaknesses
Cybercriminals didn’t spare the public sector either. In London, three major borough councils – Kensington and Chelsea, Westminster, and Hammersmith & Fulham – were forced into emergency mode after a coordinated cyberattack struck their shared IT systems. The attack shut down websites, phone lines, and online services relied on by more than half a million residents. City officials activated backup processes and warned citizens of delays in everything from council tax payments to social care services. The incident highlighted how intertwined digital infrastructure can magnify the impact of a single breach — one attack effectively disabled multiple city governments.
Across the Atlantic, a post-mortem in Nevada revealed how expensive and long-lasting a breach can become. A cyber intrusion first detected in May was later confirmed as a ransomware attack that silently spread across more than 60 state agencies, exposing thousands of files and resulting in over $1.3 million in cleanup costs. The state refused to pay ransom and only uncovered the extent of the breach months later, showing how lack of real-time detection remains a critical weakness in sprawling government networks. In another alarming incident, hackers targeted the CodeRED emergency alert system used by numerous U.S. communities. Ransomware crippled the platform’s ability to send urgent alerts about public safety issues such as fires, floods, and missing persons. The disruption served as a stark reminder of how cyberattacks increasingly intersect with physical safety — and how attackers are willing to exploit even life-saving systems for leverage.
Ransomware Gangs Expand Operations: Zero-Days, Supply Chains, and Insider Talent
For corporate victims worldwide, November 2025 was marked by a surge in ransomware activity and extortion attempts. The Clop ransomware group, in particular, executed one of the most significant supply-chain attacks of the year. By exploiting a zero-day vulnerability in Oracle’s widely deployed business software, Clop infiltrated multiple high-profile organizations almost simultaneously. The Washington Post became one of the most visible victims, losing payroll and personal details for nearly 10,000 employees and contractors. Clop quietly harvested names, bank account numbers, Social Security numbers, and more — all by weaponising a single supplier’s software flaw. Other companies impacted included media conglomerates and global tech firms, revealing how supply-chain weak points continue to be among the most dangerous vectors for mass exploitation.
Meanwhile, the Qilin ransomware group targeted Japan’s brewing giant Asahi with an attack so disruptive it halted nationwide beer production for weeks. Qilin claimed to have stolen financial and employee records; Asahi refused to pay ransom, resulting in supply shortages of some of the country’s most iconic beverages. This incident vividly illustrated how ransomware can ripple beyond digital spaces and impact real-world supply chains. Other infamous groups such as ALPHV (BlackCat) and LockBit remained active, continuing their “double extortion” schemes — stealing data and threatening to publish it. In a rare counterstrike from law enforcement, U.S. prosecutors unsealed indictments against three former cybersecurity professionals accused of acting as insider affiliates for ALPHV, proving how cybercrime ecosystems increasingly blur the line between legitimate expertise and criminal operations.
High-Profile Corporate and Crypto Breaches: Financial Sector and Web3 Targeted
Alongside ransomware, November saw major attacks on private companies and cryptocurrency platforms. One of the month’s most striking incidents was the attack on Upbit, South Korea’s largest cryptocurrency exchange. Hackers siphoned off roughly $30 million worth of digital assets in a single breach. Investigators quickly linked the incident to the Lazarus Group — a state-backed North Korean operation known for industrial-scale crypto theft. The breach occurred just hours before a major acquisition announcement involving Upbit’s parent company, raising suspicions about strategic timing intended to maximise leverage or distraction.
Corporate breaches weren’t limited to crypto. DoorDash disclosed a major insider-driven breach that exposed customer, driver, and merchant information after an employee fell for a social engineering scam. While financial details remained protected, millions of users were asked to stay alert for possible phishing attempts. Global payment processor Checkout.com also confirmed that attackers accessed legacy cloud storage files, stealing documents and internal materials. The same attackers later expanded their campaign by compromising a third-party integration to access Salesforce data across more than 200 companies — one of the most significant CRM-related supply-chain breaches of the year. Even the real-estate finance sector was hit. SitusAMC reported a breach exposing extensive loan documents and contracts from major banks, demonstrating once again that attackers will pursue any data with financial or strategic value.
Cybersecurity Trends 2025: What November’s Attacks Reveal
The wave of November attacks revealed several defining trends shaping the cybersecurity landscape:
1. Supply-Chain Vulnerabilities as a Dominant Vector
Many incidents were indirect breaches via shared systems, contractor access, or widespread enterprise software. This reflects a rising pattern: attackers prefer hitting one supplier to compromise dozens of downstream organisations.
2. Rise of “Silent” Data Theft
Instead of immediately deploying ransomware, attackers increasingly exfiltrate sensitive data quietly and later use it for extortion. This model allows them to operate undetected for weeks or months.
3. Human Error and Insider Threats
Phishing, vishing, and manipulated employees played a central role in many breaches. The indictment of former cybersecurity professionals collaborating with criminal groups further demonstrates how insider risks are evolving.
4. Fragmented Groups Joining Forces
The emergence of a new extortion collective combining members of several notorious hacking crews shows how cybercriminals now pool expertise and infrastructure — essentially creating “extortion-as-a-service” models.
In light of November’s surge in cyberattacks, Ruta’s experts recommend a focused, multilayered defence strategy: reinforce identity and access controls with strong MFA and zero-trust measures; secure your supply chain by ensuring vendors meet strict security standards; invest in proactive detection tools like behavioural analytics and anomaly monitoring; maintain well-tested incident-response plans and reliable backups; and build a strong security culture where staff confidently report anything suspicious. If you’re ready to strengthen your organisation’s cyber resilience, contact Ruta today — our team is here to support you.
