All of this is according to the technical report of cybersecurity firm Fox-IT, which assisted the university during the cyberattack and investigated the circumstances. The company was unable to find out who committed the attack and whether it involved one or several persons, but was able to trace all of their movements. Hackers try to penetrate the university’s defenses thousands of times a day. In January of this year, they succeeded. To mitigate the consequences, the university took the network offline. At that time, the hacker had already penetrated the network to such an extent that theoretically, they could have placed ransomware in the TU/e system at any time.

Highest rights

The investigation shows that someone had already entered the network five days before the attack using stolen login credentials via a VPN (Virtual Private Network) connection. Once they initiated the attack on Saturday night, they were able to log in with any account they wanted by fooling central servers called domain controllers. They chose an account with the highest privileges in the system and began preparing for the attack from there, gaining access to the entire TU/e network.

Chief Information Security Officer (CISO) Martin de Vries says it’s remarkable that the attacker then seemed to throw all caution to the wind by installing a tool on the domain controllers that set off all of the university’s alarm bells. “It’s like they kicked down the door. I’d have expected them to want to stay under the radar longer.” The action, which suggests the hacker lacked the skills to proceed otherwise, allowed TU/e cybersecurity guards to disrupt his activities. “Unfortunately for future victims, they’ll have learnt from this experience.”

From the moment security guards noticed their presence, according to De Vries, the attacker seemed mostly concerned with making sure that they wouldn’t be thrown out of the system. One of the things they also tried to do is disable the university’s backup facility. However, that wasn’t the reason for shutting down the network: “We simply couldn’t get to them, that is why the network had to be taken offline.” And good thing they did, says the CISO, because it probably would have been too late had they waited another hour. “It was touch and go.”

Vulnerabilities

The attack exposed three vulnerabilities, which have since been fully addressed. For one thing, the university knew that login credentials had been shared on the dark web even before the cyberattack. The employees and students affected had been asked to change their passwords, but re-entered the old, compromised password as their new one. “We had failed to make that a technical impossibility,” says the CISO. Now it’s no longer possible to reuse old passwords.

In addition, the attacker was able to get in via a VPN connection because it didn’t require multifactor authentication (MFA). “We had already planned for that two-step authentication; we were going to implement it before the summer,” says De Vries. So they were just a fraction too late. Meanwhile, the VPN has been equipped with MFA. And then there’s the DCSync attack, the trick the hacker used to fool the central servers. The hacker made those servers think they were allowed to share data (in the form of encrypted passwords) with the hacker’s own server. That, too, is no longer possible; the three servers in question now really only exchange data among themselves.

Another weakness TU/e has become more aware of since the attack has to do with outdated systems that researchers sometimes work with. In order to communicate with those outdated systems, the servers from which the hacker managed to extract all the login data must work with outdated protocols. “We have to get rid of that eventually,” De Vries says. “One possible solution is to create isolated networks and put a firewall between those networks and the central system.”

Culture change

The reason that old systems and protocols are still being used today, according to Vice President of the Executive Board Patrick Groothuis, has to do with the culture within the university. “In that culture, we as an organization want to help scientists do their research well. In doing so, in this case, we’ve apparently not been sufficiently aware of what the risks were of allowing those old systems into the central network.” He says the university should become “stricter and more business-like” when it comes to allowing protocol deviations.

An example of that culture change – which Groothuis says was already underway before the cyberattack – is the decision by LIS to block high-risk applications. When it comes to cybersecurity risks, he says, freedom of choice should be “more limited and clearer. Which also means saying no sometimes.”

Still being felt

Such measures should help increase cyber resilience. And that’s needed, says Groothuis, because even though the hacker didn’t achieve their ultimate goal, the consequences for the university were significant. In fact, they’re still being felt today. “Especially in education. On the one hand, because during the cyberattack, many teachers and support staff contributed to fending it off. As a result, they didn’t have time for other things and are now busy catching up with those. Secondly, we allowed students to take exams at a different time if there was a valid reason. The consequences of this are still felt in the fourth quarter.”

Groothuis hopes that after the summer, peace will have fully returned. Regardless, all those involved can look back with pride on how they handled the crisis period, both Groothuis and De Vries say. This has now also been confirmed in writing in a report by the COT Institute for Safety, Security and Crisis Management, which conducted a learning evaluation of the crisis management process.