“No, it isn't a question of whether a cyber attack ever happens, but when,” says Hein van Lent, policy officer Information Management & Services, who had been busy at TU/e since March with the preparations for the cyber attack. Having been involved from the very beginning, he was unable to take part personally in repelling the attack last week Thursday and Friday, although he was present at the evaluation held in Utrecht.
The attack in a nutshell. On Thursday the attackers start by making a diversionary move: the university website is defaced, meaning that fake news is posted and the administrator is denied access. Shortly after, a report is received that an unknown person on campus intends to carry out an attack on the infrastructure. The individual fails but manages to elude security staff, and in so doing loses a memory stick containing essential information. In the meantime, it becomes apparent that the systems of the Executive Board, Personnel and Real Estate Management have been contaminated. A demand for payment is received, in return for which access to these systems will be restored. It turns out that ten days earlier the hackers managed to gain access to the system by sending a phishing email. The decision is taken not to pay and the entire network is shut down to prevent worse things happening.
An attack of this caliber is not something TU/e has ever had to deal with, tells Van Lent, “but without a doubt attempts are being made every day at all kinds of levels to gain access to our personal data and all sorts of confidential information.”
SURF, the collaborative organization for ICT in Dutch higher education, set up the attack, entitled OZON2018, to allow institutions to practice dealing in as realistic a way possible with the problems and hazards that go hand in hand with an attack of this nature. Van Lent: “It was fantastic to collaborate on this assignment with colleagues from all over the Netherlands. We had to forge the documents of the Executive Board, for example, as realistically as possible, so that it genuinely looked like there was something to lose. The technicians, too, had to have something they could get their teeth into. The rapid decision taken in Eindhoven to respond by shutting down the entire network came as a surprise, even to the SURF control center.”
According to Van Lent, all the participants in the exercise unanimously agreed on Tuesday in Utrecht that the exercise had generated some highly valuable information, making institutions better prepared for when a real attack takes place. “Essentially that includes devising a good means of communication between technicians and the administrators who ultimately have to make a decision. And be aware that if you shut down the entire network, a lot of other digital communications go down too, so you need to have good alternatives available as backup.”
Van Lent goes so far as to call it “the best job” he has ever carried out in his many years at TU/e; “everyone understood the urgency involved and was keen to cooperate.” But, he believes, this urgency must also be felt strongly among TU/e employees in general. “We need to be proactive about putting what we've learned into practice and we are going to do that. Take, for example, something like bitlocker, a system used to encrypt all the information on your laptop or on a memory stick, so that in the event of loss or theft all your data are not immediately made public. I've already got it installed on my laptop and really everyone at TU/e should have it too.”
And how did the attack come to an end? On Friday the stolen memory stick was retrieved and it held the key to regaining access to the encrypted systems, “without having to pay a single bitcoin,” says Van Lent.