Vice president of the Executive Board, Nick Bos, informed a full hall of mainly media and IT experts during the so-called ‘symposium’ on the cyberattack, Wednesday 5 February.
First, payment of the ransom. An amount of exactly 197 thousand euro, thirty bitcoins, was paid. It was a “devilish dilemma”, and the Executive Board did “not make the decision lightly,” says Bos, also head of the crisis management team. Should one give the criminals what they want? For an institution that is publicly funded, there are “great moral objections”. And, Bos adds, “as an administrator you abhor the thought”.
Anyway, needs must when the devil drives. Because “the continuity of the UM” was at risk, he said. “Study progress, scientific research, sustainable security of data, business processes”; with all of this, the UM ran “unacceptable” risks. Because if files are encrypted and you don’t have the key (“decryptor”), how long would it take to rebuild everything from scratch? That could take weeks, even months, experts ensured the Board. Moreover, that would almost certainly mean loss of crucial data files. So, the balance leaned more towards the other side: we will pay the ransom. There were no negotiations regarding the amount, because that could also have made matters worse, was the idea: before you know it, they could come back and ask double the amount. “We didn’t want any extra irritation,” says Bos.
On 29 December, after consultation with deans and directors and the supervisory board, the decision to meet the hackers’ demands was made, the very next day the key was received and the repairs could begin, which meant that on 6 January, the education activities could at least resume reasonably unimpeded.
Observant announced on 2 January that the UM had paid the ransom. The question is why did the Executive Board not do so, as part of the official policy of openness and transparency, which is even included in the Strategic Programme. They did indeed think about this around New Year, says spokesman Fons Elbersen. But people felt that the potential risks were too great. Also, upon advice from cybersecurity company Fox-IT, it was decided to keep our mouths firmly shut for the time being, during the repair process, so as to prevent other hackers from thinking that there might be more to be had from this university.
Bos reported on Wednesday that external organisations had also been informed about the decision to pay the ransom: the Ministry of Education, Culture and Science, and the Education Inspectorate. There was no reaction from them at the time.
The Executive Board remains cryptic about the cost incurred with this cyberattack, apart from the almost two hundred thousand ransom. This concerns at any rate the assistance from Fox-IT up to today, just like the cost of the specially appointed spokesman Fons Elbersen who replaced the regular UM spokesman Gert van Doorn. The latter was on holiday on the Mosel at the time of the crisis. Bos feels it is “premature” to itemise such (ongoing) costs. Furthermore, there could be intangible damage, the Board admits, but exactly how and what remains unclear. For example, has there been damage to the university’s reputation? The hope is that staff and both current and future students see that the UM takes their concerns “particularly serious”. In addition, “as far as we know” no research proposals have suffered and also no scientific data has been stolen or tampered with. We have “been able to establish that this is more than likely”. This formulation shows that there is still not 100 per cent certainty. There never will be, adds Fox-IT manager Frank Groenewegen: “Even after six months of research, we would not be able to give that kind of guarantee.”
How did the hack actually happen? On 15 October, another Fox-IT employee tells us, the phishing link was placed on an UM employee’s laptop. After that, the hackers were able to manually make their way into the UM’s systems step by step. “On 21 November, they had complete control of the networks.” There was an antivirus alarm on 19 December, but, he says, before the UM responded properly to this, the hackers had already removed the antivirus software. The attack was finally launched on 23 December.
Fox-IT was also able to determine who was behind the attack. It is a group that calls itself Grace-RAT, also known as TA-505. The criminals spoke Russian, but this does not necessarily mean that they work from Russia. This group, which has been active for about five years, is assumed to be the inventor of the CLOP ransomware: “There have been more than 150 victims since February 2019.”
Could the hack have been prevented? What about security? According to the UM, there are no indications whatsoever that Maastricht had poorer security than sister institutes in the Netherlands; when it comes to IT facilities and IT innovations, they work together via SURF. Besides, as far as we know, there is not yet a decryptor capable of neutralising a CLOP contamination. “We were vulnerable, as many organisations are,” says Bos, but that doesn’t mean that the security was “insufficiently safeguarded”.
The UM took dozens of measures in 2018 and 2019 because of the new General Data Protection Regulation (GDPR), which also took the cyber security to a higher level, he says. For 2020 and beyond, “additional funds” have been reserved for modernisation of IT. This includes setting up a Security Operations Centre (SOC), a team that solely deals with cyber threats. This was started in January. “Too late,” admits Chief Information Officer Michiel Borgers.
At the same time, Bos emphasises that a university, despite all measures and investments, will continue to be vulnerable. It is after all an accessible institute (also for people who wish to do harm) that has to make do with tight financing from the Ministry of Education, solely meant for education and research. You don’t get anything extra to fight cybercrime. And last but not least, it is work of man. Bos: “The weakest link is between the keyboard and the chair.” With this attack too, it all started with a laptop (“patient zero”, ostentatiously presented as corpus delicti at the front of the hall) and a click on an unknown link.
The UM wants to work together more with institutes in the Netherlands and abroad, said CIO Michel Borgers, among others when it comes to setting up a 24/7 monitoring system. But a hundred per cent security does not exist, an expert from Fox-IT emphasised on Wednesday. Besides, “additional security is almost always at the cost of ease of use and accessibility.” At the moment, the level of vigilance is so high, Bos adds, that the UM is much more capable of preventing and detecting attacks. By the way, the university does not intend to take out insurance against this type of attack, says Bos. As far as he knows, no other sister institute is insured, “and it doesn’t make the moral deliberation any easier.”
The greatest lesson to be learned from all this? Bos feels that if this unfortunate episode for the UM makes society realise that this is a “security issue of the highest order,” then those six intensive and tough weeks have not been for nothing. “There is a reason why the book by Volkskrant journalist Huib Modderkolk is called Het is oorlog, maar niemand die het ziet (It is war, but nobody sees it).”
Wammes Bos, Riki Janssen