A cyber-attack like in Maastricht: small chance, but the impact is enormous

In the night of December 23, Maastricht University became the victim of a cyber-attack with clop ransomware. The criminals demanded ransom for the files they held hostage. For the duration of the Christmas holidays, the university’s systems were all down because of the ransom software.

So at Christmas, Henk Verkolf, manager of the infrastructure cluster ad interim, wasn’t enjoying a glass of mulled wine near a fireplace, but instead, he was working hard. “The day Maastricht discovered the virus, we heard about it immediately. We’ve got close contact via Surf, an IT collaboration organisation. The message was immediately sent to all universities. What we do in a situation like this, is first see whether anything’s happening in our own systems, and then try to find what’s going on exactly at – in this case – Maastricht, and see whether we’re vulnerable to something similar.”

The realisation came quickly: a number of attempts of the same attack had also been sent to the UU. However, the anti-ransomware software that had been installed two years previously, stopped the attack. “Thankfully, it recognised the ransomware. It’s always uncertain whether the ransom you’re sent is so new that your security software doesn’t pick up on it yet. Because you can try to protect everything to your best abilities, but you’re always one step behind the criminals. It’s like with the police: once they figure out the drugs are hidden amongst the bananas, the criminals have already moved on to hiding them amongst Barbie dolls. It’s the same thing in cyber security.”

You're always one step behind the criminals

Verkolf can’t say whether Maastricht University didn’t have the same security software the UU employs. Raoul Vernède, chief information security officer at the UU, can say that the UU system is segmented, which means the IT environment is constructed in such a way that if one piece is corrupt, it wouldn’t cripple the entire system. The UU also uses offline back-ups for an extra safety net.

To be safe, though, all UU admins had to immediately change their passwords after the Maastricht attack. They were all called at home during Christmas. “One of them even did it from his holiday address in Peru,” Verkolf laughs. The following days were ones with heightened security. Verkolf worked with a team of eight people. They also received an emergency call from Maastricht for their students: “For the Maastricht students, we created an emergency facility so they were still able to access the online library, because there was a number of students whose graduation was at risk.”

Spray
The two don’t think it’s odd that the attack happened around Christmas. “It’s a well-known fact that hackers tend to attack around holidays and vacation periods, because they think people aren’t paying as much attention then,” Vernède says. But were universities the actual target, considering the UU also received the same attack? “No. Ransomware is sent out into the world in a random, automated spray, and then it checks who’s receptive to it. But it could just as well have been a bank. It’s likely that at least a hundred other organisations in the Netherlands received the same attack,” Verkolf says.

Because of their open culture, universities are a relatively attractive target. “As a university, you’re more vulnerable, because you strive towards sharing knowledge and information, and towards working together. That’s different in banks and companies.” The general rule is: the more closed off you are, the safer. Not having an internet connection at all, then, is incredibly safe.

Do universities have anything specific that people want to have? “For ransom criminals, no, not really. You have to distinguish between ransom attacks by criminals looking for money, and attacks by people who want to steal knowledge and research results: spies. Those attacks do tend to be aimed at universities, hospitals, or governmental organisations.”

Ransom
What does ransomware – holding data hostage – look like anyway? A blue screen with a pop up that says ‘we’ve got your documents, click here for a PayPal link?’ Verkolf laughs: “Something like that. But they use Bitcoins, because otherwise the money can be traced. You get a lovely English text on your screen that tells you your systems have been taken over, that they’re encrypted, and you have to pay to get them back. And that everything has to be done within a certain timeframe, or they’ll delete the data, keep up the hostage situation, or publish everything, for example.”

The national advice is: do not pay

It’s said that Maastricht indeed did pay ransom to the (likely Russian) criminals. Does the UU have a policy for that? “The national advice, coming from for instance the National Coordinator Anti-Terrorism and Security (NCTV), is: do not pay.” A security drill Surf held with a number of universities, including Utrecht and Maastricht, led to the same advice. Verkolf: “But if you wouldn’t have anything left, if you’d lose years’ worth of research, and you’ve tried everything you can… Well, I don’t know how long you’d want to stick to that policy.”

The UU has only experienced small-scale data hijacking. That was two years ago, when ransomware just started to become big. Verkolf: “On a workplace level, we had a number of incidents at that time; users who’d clicked the wrong link, for instance. We just erased the systems, put up a back-up, and didn’t pay any Bitcoins.”

The gatekeepers do see daily attempts of malware and ransom-like software on their monitors. A small share of those dangerous phishing mails do end up in the inboxes of students and employees, when the system doesn’t catch them. It’s hard to tell how many there are, because, of course, those mails go unnoticed. Students and employees can report suspicious emails to the Computer Emergency Response Team (Cert). “We have some peak moments for those reports, anywhere between ten to a hundred and fifty reports a week.”

Phishing
Some time ago, campaign posters about cyber security were distributed all over campus. One of those is a poster with a joke about ‘phishing’.

“We constantly stress the importance of awareness of phishing: because you can create a shield as thick as you like, but if someone opens the back door, it’ll all be for nothing,” Verkolf says. That’s what happens in phishing, when someone gives their username and password to a third party. When that happens, someone can get into your system, and hijack your documents, for instance. You can often solve that if you’ve got good back-ups, but it does take a lot of time. And you can still lose a significant amount of data. And it depends on the type of phishing what the potential damage is.

Verkolf gives the example of so-called CEO fraud. First, through phishing, information is obtained about an organisation: where its financial sector is, what the name of the boss is, and what their contact info is. Then, from the director’s inbox, an order is sent out to transfer a sum of money. Movie theatre Pathé lost 19 million euros this way in 2018.

Around 15 percent of a nation’s population will fall for a phishing mail, Verkolf and Vernède say. Their advice to everyone is to always run software updates, use the UU’s reliable back-ups, not to download illegal software, and always report suspicious emails to the Cert, via cert@uu.nl.

Wake-up call
After the Maastricht attack, Pieter-Jaap Aalbersberg (NCTV) used the term ‘wake-up call’. In an interview on NPO Radio 1, he said: “This should be a wake-up call for all universities and universities of applied sciences. You have to have good back-ups, separate your systems, and ensure you’ve got the right updates, and you won’t be vulnerable.”

Was that wake-up call really necessary? “No,” Verkolf says. “We already started improving our cybersecurity last year. The Executive Board already recognised all the risks in November. We’ve already started a three-year programme to improve our security even more; we’ve reserved time and money to do so.” Interesting detail: In 2018, Surf noted that relatively little money is being reserved by universities for cybersecurity.

In the near future, employees and students will already experience some of that extra security. Soon, they’ll have to log in using a two-factor authentication with their Solis ID, for instance with a code via text message or a special app. This month, the ITS department (Information and Technology Services) will already switch to that system: “That way, we can get rid of teething troubles as we go. After that, the system will be rolled out throughout the university in phases.”