Reconstruction of the cyberattack based on facts and plausibility


23 December 2019, 19:35hrs. Personnel from the UM’s IT service ICTS notice that various systems are slowing down. The permanent internal crisis team CERT (Computer Emergency Response Team) sounds the alarm. The UM has been hacked. Within an hour, they are on the spot; they will stay all night. In vain: the UM network is down, including the e-mail system, the Student Portal and the library.

24-12: The vice-president of the Executive Board, Nick Bos, takes charge. ICTS cannot handle a catastrophe of this size by itself, Fox-IT, a specialist cybersecurity company, is contacted for assistance. The Executive Board announces on the UM website, which is still online, that the university has been struck by a “serious cyberattack” with ransom software. This means that everything is locked down, and payment has to be made to obtain a key. Otherwise, everything remains quiet. UM spokesperson Gert van Doorn and his family are on holiday in the Mosel area and will stay there. Media can contact him by phone. He states that scientific data have additional protection. National and regional media report the hack. Van Doorn denies that there is a demand of 300 thousand euros in bitcoins as ransom.

25-12. Christmas Day: internally, staff are working under high pressure, almost working through the night, the public is getting no further news.

26-12: Boxing Day: on social media, concerned students are complaining about the lack of information. The Executive Board has met, is also dissatisfied with the way of communicating and calls former UM spokesperson Fons Elbersen, currently self-employed, to take charge of communication. He and his wife are near Antwerp, on their way to France, and turn around. The Board says that repairs should give priority to education activities. People ask anxiously: Apparently, we were not secured adequately. Why not?

27-12: Finally, an update by the UM for students and staff. The university is carrying out forensic investigations and repairs. “All efforts focus on restoring access to systems for students and staff as soon as possible.” The attack has been reported to the police. Elbersen cannot confirm that the UM is negotiating with the cybercriminals.

28-12: Update #3 is published: university buildings will definitely open on 2 January. Special attention is being paid to urgent matters such as timetables, exams, applications for subsidies, et cetera. Temporary helplines will be set up. The Board, deans and directors are continuously on the go or on standby. The complaints stop, students and staff empathise and show solidarity. And yes, behind the scenes there are unmistakably negotiations with the hackers. An initial payment is or has probably already been made to ensure that the UM can obtain the key to regain access to its systems.

29-12: It is announced (update 4) that the UM hopes that “the processes relating to the education programmes” may resume on 6 January. Experts say afterwards that such a quick recovery is only possible after payment of the ransom. The hackers will get their money today or tomorrow, a total of three hundred thousand euros? Or two hundred thousand? The guesses are probably not far off the mark. The updates are now getting more and more detailed, for students, for prospective students, for staff. A warning is issued: do not try to access the systems, as this will impede recovery.

30-12: Education programmes can definitely resume on 6 January, update 5 says. The UM’s IT workers concentrate on the systems that are relevant for students. The deans, some of whom have returned from their holidays, meet.

31-12: New Year’s Eve: two updates (“leniency for students”) and a special word of gratitude from the Executive Board: “The commitment of colleagues who worked throughout the holidays is heart-warming.” The lesson learnt: the UM “will need to arm itself better against external threats that do not respect academic values.” Not only those values, of course. Furthermore, all UM workers get a day’s rest on 1 January; another sign that the situation is getting under control after payment of the ransom. Questions about this are already being asked in Parliament.

2-1-2020: The advice in update 9 is to externally reset passwords before 6 January. Observant announces later that day that the UM has paid a ransom. The national media, which have been following the case for a week, fly at it immediately, including NOS Journaal. The Executive Board remains silent on the issue, and still is. It does issue a statement later that day that the silence has to do with the on-going investigation into the hack. A survey among students and staff reveals that almost all can justify the payment: what else could the UM do, is the tenor of most replies.

3, 4 and 5-1: More and more systems are getting back online, occasionally with some restrictions. The university library is operational again.

6-1: The education programmes start, everything appears to be running smoothly, no serious problems are being reported. In his New Year’s speech, President Martin Paul again thanks all those who sacrificed their holidays and all others who empathised during this crisis. And the e-mail system will be up and running again the next morning!

Thirteen updates have been published so far: students and staff who are asked whether they feel they were informed adequately by the UM, except in the beginning, state that they felt they were.

Reconstruction of the cyberattack based on facts and plausibility
Author: Wammes Bos
Simone Golob
Tags: cyberattack

Add Response

Click here for our privacy statement.

Since January 2022, Observant only publishes comments of people whose name is known to the editors.