Munster Technological University ransomware attack

Last updated
Munster Technological University ransomware attack
Date7 February 2023 (2023-02-07)
Venue Munster Technological University
LocationIreland
Type Cyberattack, data breach, ransomware
Target Munster Technological University
Outcome
  • Closing of Cork campuses
  • Stolen data published on the dark web
Suspects Blackcat

In early February 2023, Munster Technological University suffered a ransomware cyberattack which caused the cancellation of all full and part-time classes affecting the Bishopstown campus, as well as Crawford College of Art and Design, Cork School of Music and National Maritime College of Ireland in Ringaskiddy. [1]

Contents

Background

On 7 February 2023, Munster Technological University announced that it was investigating a significant breach of the information technology and telephone systems that had occurred over the weekend. Systems such as email, HR, payroll and finance were not affected. [2] In a later announcement the same day, they said that their Cork campuses would remain closed to protect staff and student data, but that the Kerry campuses were not affected. [3]

On 9 February the university confirmed that it was a ransomware attack. [4] The National Cyber Security Centre confirmed that some of their staff were working onsite at the university to assist with forensic examination of systems and recovery. HEAnet were also providing advice and support. [5]

Impact

The ransomware attack caused all of MTU's campuses in Cork to close. [6] [7]

On 11 February, the university told the High Court that they were being blackmailed by Blackcat, a Russian cybercrime group. [8] [9] The university had received a ransom note threatening to sell and or publish data if the ransom was not paid by a certain deadline. The amount was described as "significant money" but not disclosed in open court. [10]

On 12 February, it was confirmed that data from its systems had been made available on the "dark web". [11] [12]

Response

The university is working with the Gardaí, the National Cyber Security Centre and the Data Protection Commissioner. [13]

The Minister of State for Public Procurement and eGovernmentOssian Smyth – said that the attack was similar in many ways to the 2021 cyberattack on the HSE in that it included threats to delete data and to publish data that had been copied. [14]

Related Research Articles

A blended threat is a software exploit that involves a combination of attacks against different vulnerabilities. Blended threats can be any software that exploits techniques to attack and propagate threats, for example worms, trojan horses, and computer viruses.

<span class="mw-page-title-main">Health Service Executive</span> National public health and social services authority in Ireland

The Health Service Executive (HSE) is the publicly funded healthcare system in Ireland, responsible for the provision of health and personal social services. It came into operation on 1 January 2005.

<span class="mw-page-title-main">Timeline of Internet conflicts</span>

The Internet has a long history of turbulent relations, major maliciously designed disruptions, and other conflicts. This is a list of known and documented Internet, Usenet, virtual community and World Wide Web related conflicts, and of conflicts that touch on both offline and online worlds with possibly wider reaching implications.

<span class="mw-page-title-main">Cyberattack</span> Attack on a computer system

A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, personal computer devices, or smartphones. An attacker is a person or process that attempts to access data, functions, or other restricted areas of the system without authorization, potentially with malicious intent. Depending on the context, cyberattacks can be part of cyber warfare or cyberterrorism. A cyberattack can be employed by sovereign states, individuals, groups, societies or organisations and it may originate from an anonymous source. A product that facilitates a cyberattack is sometimes called a cyber weapon. Cyber attacks have increased with an alarming rate for the last few years

<span class="mw-page-title-main">WannaCry ransomware attack</span> 2017 worldwide ransomware cyberattack

The WannaCry ransomware attack was a worldwide cyberattack in May 2017 by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. It propagated by using EternalBlue, an exploit developed by the United States National Security Agency (NSA) for Windows systems. EternalBlue was stolen and leaked by a group called The Shadow Brokers a month prior to the attack. While Microsoft had released patches previously to close the exploit, much of WannaCry's spread was from organizations that had not applied these, or were using older Windows systems that were past their end-of-life. These patches were imperative to organizations' cyber security but many were not implemented due to ignorance of their importance. Some have claimed a need for 24/7 operation, aversion to risking having formerly working applications breaking because of patch changes, lack of personnel or time to install them, or other reasons.

The city of Atlanta, Georgia was the subject of a ransomware attack which began in March 2018. The city recognized the attack on Thursday, March 22, 2018, and publicly acknowledged it was a ransomware attack.

<span class="mw-page-title-main">Munster Technological University</span> Irish technological university

Munster Technological University is a public technological university consisting of six campuses located in Cork and Kerry. The university was established in January 2021, the result of a merger between two institutes of technology, Cork Institute of Technology and the Institute of Technology, Tralee. Its creation was announced in May 2020. It accommodates more than 18,000 students and over 2,000 members of staff.

REvil was a Russia-based or Russian-speaking private ransomware-as-a-service (RaaS) operation. After an attack, REvil would threaten to publish the information on their page Happy Blog unless the ransom was received. In a high profile case, REvil attacked a supplier of the tech giant Apple and stole confidential schematics of their upcoming products. In January 2022, the Russian Federal Security Service said they had dismantled REvil and charged several of its members.

<span class="mw-page-title-main">Ryuk (ransomware)</span> Type of ransomware

Ryuk is a type of ransomware known for targeting large, public-entity Microsoft Windows cybersystems. It typically encrypts data on an infected system, rendering the data inaccessible until a ransom is paid in untraceable bitcoin. Ryuk is believed to be used by two or more criminal groups, most likely Russian, who target organizations rather than individual consumers.

Emsisoft Ltd. is a New Zealand-based anti-virus software distributed company. They are notable for decrypting ransomware attacks to restore data.

A global wave of cyberattacks and data breaches began in January 2021 after four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, giving attackers full access to user emails and passwords on affected servers, administrator privileges on the server, and access to connected devices on the same network. Attackers typically install a backdoor that allows the attacker full access to impacted servers even if the server is later updated to no longer be vulnerable to the original exploits. As of 9 March 2021, it was estimated that 250,000 servers fell victim to the attacks, including servers belonging to around 30,000 organizations in the United States, 7,000 servers in the United Kingdom, as well as the European Banking Authority, the Norwegian Parliament, and Chile's Commission for the Financial Market (CMF).

FIN7, also associated with GOLD NIAGARA, ITG14, Carbon Spider, ALPHV and Blackcat, is a Russian criminal advanced persistent threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. A portion of FIN7 is run out of the front company Combi Security. It has been called one of the most successful criminal hacking groups in the world.

On May 7, 2021, Colonial Pipeline, an American oil pipeline system that originates in Houston, Texas, and carries gasoline and jet fuel mainly to the Southeastern United States, suffered a ransomware cyberattack that impacted computerized equipment managing the pipeline. The Colonial Pipeline Company halted all pipeline operations to contain the attack. Overseen by the FBI, the company paid the amount that was asked by the hacker group within several hours; upon receipt of the ransom, an IT tool was provided to the Colonial Pipeline Company by DarkSide to restore the system. However, the tool had a very long processing time to help get the system back up in time.

On 14 May 2021, the Health Service Executive (HSE) of Ireland suffered a major ransomware cyberattack which caused all of its IT systems nationwide to be shut down.

Wizard Spider, also known as Trickbot, is a cybercrime group based in and around Erbil, in Kurdistan and Saint Petersburg in Russia. Some members may be based in Ukraine. They are estimated to number about 80, some of them may not know they are employed by a criminal organisation.

In mid-May 2021 hospital computer systems and phone lines run by the Waikato District Health Board (DHB) in New Zealand were affected by a ransomware attack. On 25 May, an unidentified group claimed responsibility for the hack and issued an ultimatum to the Waikato DHB, having obtained sensitive data about patients, staff and finances. The Waikato DHB and New Zealand Government ruled out paying the ransom.

Events during the year 2023 in Ireland.

References

  1. O'Donovan, Brian (7 February 2023). "MTU campuses to close following 'significant' IT breach". RTÉ News . Retrieved 9 February 2023.
  2. O'Donovan, Brian (7 February 2023). "MTU in 'close contact' with authorities over IT breach". RTÉ News . Retrieved 9 February 2023.
  3. McGowran, Leigh (7 February 2023). "MTU closes Cork campuses due to 'significant' IT breach". Silicon Republic . Retrieved 12 February 2023.
  4. McGowran, Leigh (9 February 2023). "MTU confirms Cork IT breach was caused by ransomware attack". Silicon Republic . Retrieved 12 February 2023.
  5. Moore, Jane; O'Connor, Niall (9 February 2023). "MTU Cork confirms hackers have encrypted university data and demanded a ransom". TheJournal.ie . Retrieved 9 February 2023.
  6. Kelleher, Eoin (10 February 2023). "MTU to resume business next Monday after crippling cyber attack". EchoLive.ie . Retrieved 12 February 2023.
  7. Clarke, Vivienne (9 February 2023). "MTU to close Cork campuses until next week following cyberattack". BreakingNews.ie. Retrieved 12 February 2023.
  8. "MTU being blackmailed and held to ransom, court hears". RTÉ News. 11 February 2023. Retrieved 12 February 2023.
  9. Ó Faoláin, Aodhán (11 February 2023). "Hackers threaten to publish 'confidential' MTU data unless ransom is paid, High Court told". The Irish Times . Retrieved 12 February 2023.
  10. O Faolain, Aodhan (11 February 2023). "Russian hacker group BLACKCAT demanded 'significant money' from MTU". TheJournal.ie . Retrieved 12 February 2023.
  11. Kane, Conor (12 February 2023). "Stolen data made available on dark web, says Munster Technological University". RTÉ News . Retrieved 12 February 2023.
  12. Griffin, Niamh (12 February 2023). "Data accessed in MTU cyberattack shared on 'dark web'". Irish Examiner . Retrieved 12 February 2023.
  13. Costa, Imasha (9 February 2023). "MTU Cork confirms major IT breach caused by ransomware attack". Cork Beo . Retrieved 12 February 2023.
  14. English, Eoin (10 February 2023). "Teaching to resume on MTU's Cork campuses following ransomware attack". Irish Examiner . Retrieved 12 February 2023.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.