Notorious Russian group hacked Munster university for ransom

A notorious Russian-based hacker group has dumped more than 6GB of internal files from Munster Technological University (MTU) in the south of Ireland on the internet – they were stolen in a cyberattack around a fortnight ago. The files contain vast amounts of staff and student information.

The university had refused to pay a ransom demanded by the group, which uploaded the data when the deadline for payment passed at 11.45pm on Friday 10 February.

The university had obtained an emergency temporary injunction in the High Court preventing the unknown persons behind the attack from publishing or sharing any of the confidential material. The injunction was ignored by the hackers who cut their losses and uploaded the material, probably as a warning to others who may face similar attacks.

The hack attackers

The court was told that the attack was believed to have been carried out by individuals in a ransomware group known as ALPHV aka BlackCat or Noberus.

The university said that those suspected of carrying out the attack are understood to be made up of former members of the ‘REvil’ ransomware group, which in 2022 attacked a supplier of Apple and was proven to be based in Russia.

Suspicious activities were first detected in the IT system on Sunday 5 February and an encrypted ransom note was uncovered. It contained a link that was followed by the National Cyber Security Centre. The court was told that a page on the ‘dark web’, a collection of websites that can only be accessed by a specific browser, was located where the ransom demands were outlined.

The university had to close its main Cork city campus for two days. The court was told that MTU had suffered reputational and financial damage. The university was formally established in January 2021 from a merger of institutes of technology in Cork and Tralee. It has 18,000 full-time and part-time students and 2,000 staff.

The information disclosed on the internet includes dozens of file folders relating to internal university matters such as payroll data, bank accounts and contracts of employment. Some data around medical and annual leave for employees, internal audits and student assistance grants as well as academic material had also been released, security sources told The Irish Times.

The newspaper’s security correspondent Conor Gallagher wrote that BlackCat, operated as a RAAS – ‘ransomware as a service’ – meaning it was hired by criminals to conduct cyberattacks on their behalf, with any ransoms being divided up afterwards.

So far, the information from the university is available only on the dark web. However, there are fears that the leaked data could be used for phishing attempts or combined with other publicly available data for the purposes of fraud. Those connected to the university were advised to be vigilant for any suspicious activity.

Universities are vulnerable

Simon Woodworth, a lecturer in business information systems at University College Cork, said that the IT systems in most higher education institutions in Ireland were vulnerable to ransomware attack because they accommodated such large numbers of people using lots of devices.

The MTU cyberattack is the second largest known attack on a public sector institution in Ireland. Two years ago the operations of the national Health Service Executive were seriously disrupted. Medical procedures for thousands of patients were cancelled and up to €100 million (US$106 million) was spent on new IT equipment and better security systems.

The government is currently notifying people that their records were stolen in the 2021 attack and is apologising for what happened. It is reported to be preparing for a flood of compensation claims. If these are successful, MTU could face similar claims by students and staff affected by the latest breach.

No ransom was paid by the Health Service Executive to the malware gang Conti, which was responsible for the attack. The same group had facilitated or conducted numerous high-profile attacks across the globe including on United States hospitals and the government of Costa Rica. It had taken over another group called TrickBot and developed that group’s malware to support its own ransomware attacks.

The United Kingdom and US governments announced on 9 February the imposition of sanctions on seven Russian nationals linked to the Conti, Diavol and Ryuk strains of ransomware. The seven are all resident in Moscow and have been linked to Moscow’s intelligence services. This is the first time the UK has taken such action.

Hackers get hacked

The sanctions came, ironically, after a massive trove of internal conversations and personal information was leaked from Conti and TrickBot members in what was called Contileaks and TrickLeaks.

While the ContiLeaks focused more on leaking internal conversations and source code, the TrickLeaks went further, with the identities, online accounts and personal information of TrickBot members publicly leaked on Twitter.

These data breaches ultimately led to the Conti gang shutting down their operations and their members starting new ransomware operations or joining existing ones. The Conti group was said to have amassed about €3 billion (US$3.2 billion) before it was betrayed.

The UK government said that there were 104 victims in the UK of the Conti strain, who paid approximately £10 million (US$12 million), and 45 victims of the Ryuk strain who paid approximately £17 million. It said that Russian Intelligence Service and agencies had ‘likely’ directed some of the gang’s actions.

The US Department of the Treasury said in a 9 February statement that Russia was a haven for cybercriminals, where groups such as Trickbot freely perpetrated malicious cyber activities against the US, the UK and their allies and partners.

It said Trickbot trojan viruses infected millions of victim computers worldwide, including those of US businesses, and individual victims. During the height of the COVID-19 pandemic in 2020, Trickbot targeted hospitals and healthcare centres, launching a wave of ransomware attacks against hospitals across the United States.

In one of these attacks, the Trickbot group deployed ransomware against three Minnesota medical facilities, disrupting their computer networks and telephones, and causing a diversion of ambulances.

“Members of the Trickbot group publicly gloated over the ease of targeting the medical facilities and the speed with which the ransoms were paid to the group,” the US Treasury added.