TU/e was hit by a cyberattack on January 11, 2025, a year ago this week. The university then took its own network offline as a safety measure.

Attentive IT staff and Microsoft Defender for Endpoint, a security tool used by TU/e, enabled the university to intervene quickly. This prevented the attackers from shutting down the network themselves and demanding ransom payments to reopen it.

Financially oriented

The cyberattack could have moved forward much faster. It has since been revealed that the hack was carried out by a group that ranks among the world’s leading cybercriminals and possesses highly sophisticated resources. 

“We and investigator Fox-IT—the agency that supported the university in the internal investigation—suspected a low- to medium-sophisticated group,” says Joost de Jong, Chief Information Security Officer (CISO) of TU/e. They drew this conclusion from the hackers’ behavior, which was consistent with such a group.

“That now appears not to be the case: the attack was most likely carried out by one of the most active parties in the world,” says the CISO. Neither De Jong nor the police will name the hacking group, in the interest of the investigation which is still ongoing.

“The group the police has in mind is primarily financially oriented,” De Jong does share. Therefore, he does not expect the hackers were working on behalf of another country in the context of knowledge espionage. The university itself also says it has no indication that a large-scale data breach occurred after the digital break-in, according to the CISO.

Investigation

TU/e’s IT specialists are not authorized to conduct criminal investigations into the hack. Only the police has that mandate. De Jong recently visited the police for an update on that investigation. “Immediately after the attack, we filed a report and shared all the information we had about it,” he recalls.

“We're not allowed to hack into the perpetrators’ servers or issue a warrant to access data. But the police can request digital evidence. In this case, from abroad.”

De Jong won't say which country the hackers are based in, but he does know that a lot of data has been uncovered by international partners following the police request. The police themselves cannot make any substantive statements while the investigation is ongoing.

Natural leads

“I have no idea how long the investigation will continue; the police are still in charge,” says the CISO. “Detectives are continuing their search to convert data into natural leads.” That is, connecting the crime to people with an identity, so they can subsequently be arrested.

The majority of the data still needs to be sifted through. That might sound strange after a year, but a huge amount of data has been found on the criminals’ servers, and anything could still come out. The police will have to thoroughly comb through the attackers’ ‘business administration’ to search for TU/e-related data. A task which could take months.