Cyber-attack evaluation: crisis organisation worked well

From first signal to under control

The cyber-attack started on Saturday 13 February, when an attacker managed to infiltrate the IT environment. On Monday, 15 February, the attack was detected by AUAS/UvA’s Security Operations Center (SOC). They saw a password spraying attack and takeover of domain controllers, fitting the profile of a ransomware attack.

The Executive Boards of both institutions were informed and the central crisis organisation activated. AUAS/UvA decided to ‘fight back’ and combat the attack actively and openly – without taking down all systems, as this would have had major consequences for the continuity of education at the institutions.

Over the next few days, it became apparent that the attackers had, in all likelihood, obtained log-in data and encrypted passwords by downloading the Active Directory domain database. This data can be used to wage a new attack, or sold. For this reason, on 23 February all students and employees of UvA/AUAS were asked to change their passwords. Thanks to thorough preparation and good support, and with advise from the data protection officers from both institutions, this operation was completed quickly and successfully. Within a few days, more than 100,000 people had changed their passwords. In the meantime, the fight against the cyber attackers continued. On 10 March, the central crisis team at UvA/AUAS led by CvB members Jan Lintsen (UvA) and Hanneke Reuling (AUAS) gave the ‘under control’ signal. Reparative work continued for some time thereafter.

Effective cooperation

The COT concluded that many people at UvA/AUAS contributed to repelling the attack. The employees involved were skilled, people from various disciplines cooperated well and there was mutual confidence between officials in key positions. Internal cooperation was effective, integral and flexible. It was possible to keep the impact of the attack to a minimum. Once AUAS/UvA had launched the counter-attack, the hackers discontinued the attack and did not go on to take data hostage. Investments in digital security and resilience will remain necessary going forward, also after previous steps have been taken in these areas.

‘Valuable pointers towards further improvements’

The Executive Boards of UvA and AUAS thank the COT for its extensive evaluation. ‘This provides us with valuable pointers’, according to Hanneke Reuling, who led the central crisis team as a member of the AUAS Executive Board, alongside her UvA colleague Jan Lintsen. ‘When I read the evaluation, it makes me proud that the people within the organisation acted in a highly professional way, and that cooperation was effective.’ An opinion shared by Jan Lintsen. ‘This was an intense period, which fortunately ended well. This evaluation makes it abundantly clear once again that institutions such as ours can never assume they are safe, and that we will have to invest during the period ahead in taking security to a higher level.’

Improving information security

The COT also makes concrete recommendations in this respect: make long-term cyber security choices, make use of the experiences gained in order to be prepared for any new incidents and share the lessons learned. Recommendations are also made for technical improvements such as accelerated implementation of multi-factor authentication, stronger passwords and improved detection. These and other measures have been incorporated into the Information Security Improvement Plan (Dutch: Verbeterplan Informatiebeveiliging), in which additional investments will be made in the years ahead. Leading aspects of this will include the strengthening of monitoring, detection and response capacity, increasing awareness of the risks among students and employees and expansion of capacity through the recruitment of more security specialists, SOC analysts and server administrators.