Notorious Russian group hacked Munster University for ransom
A notorious Russian-based hacking group has dumped more than 6GB of internal files from Munster Technological University (MTU) in Southern Ireland onto the internet – stolen in a cyber attack around a fortnight ago. The files contain huge amounts of staff and student information.
The university had refused to pay the ransom demanded by the group, which uploaded the data when the deadline for payment expired at 11.45pm on Friday 10 February.
The university had obtained an interim interim injunction in the Supreme Court preventing the unknown individuals behind the attack from publishing or sharing any of the confidential material. The injunction was ignored by the hackers who cut their losses and uploaded the material, likely as a warning to others who may face similar attacks.
The court was told the attack was believed to have been carried out by individuals in a ransomware group known as ALPHV aka BlackCat or Noberus.
The university said those suspected of carrying out the attack are believed to be former members of the “REvil” ransomware group, which in 2022 attacked an Apple supplier and was proven to be based in Russia.
Suspicious activities were first detected in the IT system on Sunday 5 February and an encrypted ransom note was uncovered. It contained a link that was followed by the National Cyber Security Centre. The court was told that a page on the “dark web”, a collection of websites that can only be accessed by a specific browser, was located where the ransom demands were outlined.
The university had to close its main campus in Cork for two days. The court was told that MTU had suffered reputational and financial damage. The university was formally established in January 2021 from a merger of institutes of technology in Cork and Tralee. It has 18,000 full-time and part-time students and 2,000 employees.
The information disclosed on the internet includes dozens of archive folders relating to internal university matters such as salary data, bank accounts and employment contracts. Some data on staff medical and annual leaves, internal audits and student aid grants as well as academic materials have also been released, security sources said The Irish Times.
The paper’s security correspondent Conor Gallagher wrote that BlackCat operated as a RAAS – “ransomware as a service” – meaning it was hired by criminals to carry out cyberattacks on their behalf, and any ransom money was split afterwards.
So far, the information from the university is only available on the dark web. However, there are fears that the leaked data could be used for phishing attempts or combined with other publicly available data for fraudulent purposes. Those associated with the university were asked to be alert for any suspicious activity.
Universities are vulnerable
Simon Woodworth, a lecturer in business information systems at University College Cork, said the IT systems in most higher education institutions in Ireland were vulnerable to ransomware attacks because they accommodated such a large number of people using many devices.
The MTU cyber attack is the second largest known attack on a public institution in Ireland. Two years ago, the operations of the National Health Service were seriously disrupted. Medical procedures for thousands of patients were canceled and up to €100 million (US$106 million) was spent on new IT equipment and better security systems.
The government is currently notifying people that their records were stolen in the 2021 attack and apologizing for what happened. It is reported to be preparing for a flood of compensation claims. If these are successful, MTU may face similar demands from students and staff affected by the latest breach.
No ransom was paid by the health service to the malware gang Conti, which was responsible for the attack. The same group had orchestrated or carried out a number of high-profile attacks around the world, including on US hospitals and the government of Costa Rica. It had taken over another group called TrickBot and developed that group’s malware to support its own ransomware attacks.
The UK and US governments announced on February 9 that they are imposing sanctions on seven Russian nationals linked to the Conti, Diavol and Ryuk ransomware strains. The seven all live in Moscow and have been linked to Moscow’s intelligence services. This is the first time that the UK has taken such measures.
Hackers get hacked
The sanctions came, ironically, after a massive amount of internal conversations and personal information were leaked from Conti and TrickBot members in what were dubbed Contileaks and TrickLeaks.
While ContiLeaks focused more on leaking internal conversations and source code, TrickLeaks went further, with the identities, online accounts and personal information of TrickBot members leaked publicly on Twitter.
These breaches eventually led to the Conti gang shutting down operations and their members starting new ransomware operations or joining existing ones. The Conti group was said to have amassed around 3 billion euros ($3.2 billion) before it was betrayed.
The British government said there were 104 victims in the UK for the Conti tribe, which paid about £10 million (US$12 million), and 45 victims for the Ryuk tribe, which paid about £17 million. It said Russian intelligence and agencies had “likely” directed some of the gang’s actions.
The US Treasury Department said in a statement on February 9 that Russia was a haven for cybercriminals, where groups such as Trickbot freely carried out malicious cyber activities against the US, UK and their allies and partners.
It said the Trickbot Trojan virus infected millions of victim computers worldwide, including those of US businesses and individual victims. During the height of the COVID-19 pandemic in 2020, Trickbot targeted hospitals and healthcare centers, launching a wave of ransomware attacks against hospitals across the United States.
In one of these attacks, the Trickbot group deployed ransomware against three medical facilities in Minnesota, disrupting their computer networks and phones, and causing the diversion of ambulances.
“Members of the Trickbot group publicly gloated about the ease of targeting medical facilities and the speed with which ransoms were paid to the group,” the US Treasury Department added.