MAASTRICHT. The cyberattack on Maastricht University may have only erupted to its full extent on 23 December 2019, the first breach took place more than two months before. This was reported by well-informed sources. Fons Elbersen, interim spokesman for Maastricht University, does not want to comment. “We will give answers to such questions on 5 February, during a special meeting.”
Bit by bit, more details are emerging about the cyberattack on the UM with Clop ransomware. A computer in Randwijck, either at the Faculty of Psychology and Neuroscience or the Faculty of Health, Medicine and Life sciences, was infected in the first half of October 2019; later, a computer at the School of Business and Economics was also hit. It is suspected that this was done by opening an Excel file, which then enabled the virus to slowly spread undetected. How that works, or can work, NRC-Handelsblad explained on 11 January under the heading This is how you take a network hostage in 12 steps. Cybercriminals penetrate computer systems of large organisation step by step, partly manually, until the malware is installed in such a way that a full-blown attack can be carried out. This occurred at the UM on 23 December. Cyberexpert from Fox-IT, Frank Groenewegen, says in NRC that hackers sometimes stay hidden for “longer than six months”.
The same cyberattack with the Clop virus also forced its way into Utrecht University, reported the online university newspaper DUB. However, this was blocked by software that had been installed two years previous and should keep ransomware attacks at bay (certain ones, not all). IT manager at the UU, Henk Verkolf, states when asked that this was not the security tool Carbon Black, which the UM installed after the hack. “I won’t say what we have, because hackers then immediately know what you don’t have.”
Verkolf says that the UM informed the sister institutes about the attack immediately in December, through the co-operative organisation SURF. But unlike what happened at the UM, there had never been a previous ‘break-in’ in Utrecht. “Such an attack is like a ‘shower of shot’, followed by another shower of shot to activate the virus. The latter happened on 23 December and it didn’t just penetrate the UM, but us as well. Our security recognised the IP addresses where it came from and deactivated the attack.”
Why Utrecht had that software and Maastricht didn’t, while they co-operate in SURF? Verkolf: “I don’t know. SURF allows the institutes concerned a lot of freedom.”
Carbon Black, the UM reported in ‘update #20’ about the hack, is “a supplement to the regular virus scanner that the UM already uses”. This system also looks at IP addresses from senders and blocks suspicious messages. There are no privacy objections, the UM says: “It doesn’t map out the behaviour of individual staff members and it doesn’t look at their files either.”
The information meeting (‘symposium’) on 5 February in the auditorium on the Minderbroedersberg is only accessible to a select few. These certainly include the national and other media, “but it won’t be your usual press conference,” says spokesman Elbersen, “afterwards journalists can ask questions individually. Furthermore, we will invite experts in the field of cybersecurity, IT staff from the UM and individuals from other universities. We don’t want it to be a ‘broadcasting’- story by the UM.” The investigation by Fox-IT into the hack will also be presented, Elbersen says. He doesn’t expect it all to be made public.
According to UM update #20, the purpose of this ‘symposium’ is to start “a public discussion” about the tension between academic openness and the closeness surrounding security. The afternoon will be led by strategy consultant and former TROS reporter Ronald Otten. The session can be followed via a livestream.