’TU/e acted well in cyber attack, but there are also learning points’

Photo: Angeline Swinkels
Photo: Angeline Swinkels
Investigation: perpetrators unknown, they were likely out for ransom

TU/e responded to last January’s cyber attack ’rapidly , effectively and exemplary ’ , demonstrating resilience a great capability to recover. This is stated in the reports of the two investigations th TU/e commissioned into the attack , which were published online today. In addition to these positive observations, the reports also containthe necessary points for improvement.

Background

On Saturday night, January 11, alarm bells went off at TU/e due to a cyber attack. When the situation became too threatening during the night, TU/e’s security experts decided to take the entire network offline. As a result, TU/e education - among other things - came to a standstill for a week. After a week, following extensive cleanup and recovery, the university brought the network safely back online and education resumed. Despite there being no sign that data had been stolen and no ransom being paid, the impact on the organization was enormous. TU/e commissioned an investigation into what happened, how it responded and what can be improved.

The facts

Security company Fox-IT has mapped out in detail exactly what happened on the night of January 11-12. In its report, the company is positive about the university’s performance: "TU/e demonstrated exemplary incident response and crisis management, responding rapidly and effectively even during the challenging hours of a weekend night. This swift action serves as a model for other organizations."

At the same time, the report highlights sore spots. For example, while TU/e had multifactor authentication on most applications, it did not yet have it on the VPN log-in. This was scheduled to be implemented in the first half of 2025. Furthermore, the cybercriminals used hacked accounts to break in. It was already known that these accounts had previously been hacked, so TU/e had the account holders change their passwords. But the account holders reused their old passwords, which was not automatically prevented. The intruders were also able to retrieve crucial data from a domain controller. The university has since addressed all’of these cybersecurity vulnerabilities.

Perpetrators

Fox-IT has not been able to determine who the perpetrators were. However, based on the attack methods used, it can conclude in all likelihood that it was a ransomware group, which was out for ransom.

Establishing practices

TU/e also commissioned an independent investigation into the crisis management surrounding the attack, carried out by the COT Institute for Security and Crisis Management, in order to learn from the experience and gain tools for the future. The COT concludes, among other things: "TU/e demonstrated resilience and strong recovery capability during the cyber crisis. The crisis response was marked by swift and effective technical measures." To do even better in the future, the COT recommends in its report that certain procedures, practices and mandates be better documented so that there is greater clarity on how to act in the event of a future crisis. The Executive Board takes the findings and recommendations of both Fox-IT and the COT very seriously and has decided, in principle, to follow them.

Cybersecurity is never done

"It’s nice to see confirmation that we acted well and have solid resilience," says TU/e vice president Patrick Groothuis, who led the central crisis team at the time. "That’s the result of many investments, layered measures and the professionalism of employees. But the reality is that hackers still got inside, causing the university to come to a stop for a week and bringing significant consequences for students and employees. We will therefore take the recommendations from the reports to heart and continue to invest in strengthening our cybersecurity. It remains an arms race in which you can never stand still."

Reports

To give other organizations an opportunity to learn from this cyber attack and for the sake of transparency, we are making the following investigation reports available: