Newcastle University learns a new lesson the hard way

The cyber attacks keep coming this year, and Newcastle University is the latest victim. At the end of August, their IT systems failed to block a ransomware attack, causing chaos in the leadup to the new academic year. Let’s take a look at the cyber attack they experienced, and whether it could have been avoided.

Under (cyber) attack

On 30th August, the hacker group DoppelPaymer used ransomware to attack the university’s IT systems and stole files, shut them out of systems, and disrupted the university’s IT and services. DoppelPaymer then uploaded some of the stolen files to the “Doppel Leaks” site, and threatened to release more if they are not paid a ransom.

This attack was perfectly timed to cause maximum chaos. The staff at Newcastle University should be in the middle of one of their busiest times, the lead up to the start of the next academic year. Instead, they are now in the middle of a literal nightmare with some systems down, others at risk of shutting down, and computers, servers and other hardware liable to be taken away at any moment. Whatever work was already done for the new year may well need to be redone. The university still doesn’t know the full extent of the damage, and it will take weeks to return to normal. 

What is a ransomware attack?

Ransomware is a piece of malicious software that enters a company’s IT systems, and locks them out unless they pay a sum of money (basically holding their own property ransom). Some ransomware will steal data, and demand payment to stop them leaking it and exposing private information.

Who is DoppelPaymer?

DoppelPaymer claimed responsibility for the cyber attack in a Tweet on 7th September 2020: “Dear students of the New Castle University Congratulations with an upcoming release of your personal data. What a great start of a new educational year #doppelpaymer #ransomware #malware #doppleleaks”

DoppelPaymer is a hacker group with great experience of getting ransom payments from their victims. In the last few years, they have attacked high profile companies including SpaceX, Tesla and Mexico’s state-owned oil company PEMEX. They have been so successful, Group-IB calls them one of “the greediest ransomware families with highest payoff”.

DoppelPaymer also has friends and alliances with other hacker groups, potentially including Evil Corp. The US Treasury has placed sanctions on Evil Corp because they suspect they work for Russian intelligence services. If they are indeed connected, Newcastle University will breach US sanctions simply by paying the ransom.

Why was Newcastle University the victim of a cyber attack?

Universities are a popular target for cyber attacks. The Blackbaud ransomware attack hit six universities earlier this year, and Northumberland University was also attacked last month.

Universities are a prime target for cyber attack for several reasons:

1. Universities are big, often disorganised organisations with many departments, administrators, suppliers, and systems
2. They provide critical services for their students, and will often pay attackers for a speedy solution 
3. Staff and students who log onto networks from unsecured personal computers on a daily basis

IT teams have a nightmare securing university networks, and DoppelPaymer simply took advantage of an easy target.

What can universities do to protect themselves from cyber attacks?

Universities are attractive targets for attackers, so they must have good cybersecurity in place in order to stay safe. The university’s CISO has to take responsibility for plans and policies to secure the IT infrastructure and networks and keep everyone safe from harm. 

We also recommend that universities prevent users from letting attackers in by mistake. IT teams should put tools in place to help staff and students stay safe including: 

• Give users awareness training to identify harmful emails and applications
• Place filters and anti-virus protections on the networks to block harmful emails and applications from downloading
• Use a password policy that forces everyone to create strong passwords that change every few weeks

We don’t know exactly what Newcastle University’s cybersecurity looked like before last week, but because it failed, the university now needs to work with the police to investigate the situation, and pay an external company to fix the mess left behind. This will cost them a lot of  both time and money that they didn’t plan to spend. Some of this expense may have been avoided if they had a stronger cybersecurity posture. Lesson learned. The hard way.