On Monday morning, TU/e released reports on the cyberattack that caused days of disruption to teaching last January. At the time, the university took its network offline as a precaution.
Fox-IT, the company that investigated the incident on behalf of the university, believes that the hacker probably intended to lock down the systems. Using so-called ransomware, hackers can block access to systems, only restoring it after a ransom has been paid.
Stolen passwords
TU/e proved resilient, the evaluation report notes, but its security can still be improved. The hacker accessed the network remotely using stolen usernames and passwords. Two-factor authentication (involving an extra check via a mobile phone) could have prevented this.
TU/e was in fact already aware that these login credentials had been stolen and were circulating on the dark web. Affected staff and students had previously been asked to change their passwords – but some ‘changed’ theirs to the exact same (and therefore still compromised) password. “We hadn’t blocked them technically,” chief information security officer Martin de Vries told the university magazine Cursor.
Inexperienced attacker
The hacker is unlikely to have had much experience. After a few days, he tried to disable the backups and installed a tool that triggered the alarm bells. “He basically kicked the door in,” De Vries told Cursor. “I’d have expected him to try and stay under the radar for longer.”
Who was behind the attack is still unknown. Fox-IT did find traces of Cyrillic script, but it wasn’t enough to determine the origin.
Higher education is increasingly being targeted by cyberattacks. The most well-known case is the ransomware attack on Maastricht University, where a ransom of EUR 200,000 was paid – although the university later recouped the money with interest.
HOP, Bas Belleman
Comments are closed.