Did ‘exposed’ data on dark web lead to ransomware attack on Scottish university?
Police and national cyber experts are investigating after a Scottish university – which had thousands of leaked email addresses, passwords and ‘compromised accounts’ posted on the dark web – fell victim to a ransomware attack.
The University of the Highlands and Islands (UHI) is the latest body to be targeted after hackers infiltrated systems earlier this month. Spread across 13 campuses in the north of the country, UHI closed its facilities to students and staff on March 8 as it dealt with an incident that impacted ‘key systems and services’. The hack comes three months after the devastating ransomware attack on the Scottish Environment Protection Agency (SEPA) but is not believed to be as severe.
The university said in a statement that it “did not currently believe personal data had been affected”.
However, our investigation carried out with the help of KELA, a global darknet threat intelligence firm based in Israel, revealed that UHI data has previously been posted on darknet sites, and may have been used by hackers to mount the attack.
According to its analysis, there are over 8,000 ‘leaked credentials’ – including email addresses and sometimes passwords – belonging to UHI staff and students that have been leaked or stolen and possibly traded on underground web forums. A further 100-plus ‘compromised accounts’ were also found on malicious dark web sites, including one that indicated access to Active Directory Federation Services – a software component developed by Microsoft – ‘probably related to internal systems’, according to KELA.
Victoria Kivilevich, threat Intelligence analyst at KELA, stressed that the leaked credentials and compromised accounts were not necessarily connected to the ransomware attack. However she said: “They just show what opportunities the cyber-criminals have in targeting these institutions.”
Leaked credentials are raw information belonging to individuals online, for example an email account or password, and can lead to hackers carrying out phishing attacks. A compromised account is evidence of a machine infected with information-stealing trojans such as AZORult, Vidar, Racoon and others. These machines contain saved credentials and personal information – for example an email and password coupled with a specific link to a website login page – belonging to either employees, clients, or partners; therefore, if purchased by threat actors, they can put the organisation at “serious risk”.
In the case of universities, leaked credentials may belong not just to employees, but also to students depending on the university’s policy of assigning emails. In a service status update, the university produced a green, amber and red guide to what services were currently available. According to the guide, several key systems including the MyUHI portal – a remote access platform to network drives, files and applications – was marked red, meaning it was unavailable due to the cyber incident. Other services downed by the attack included access to printing.
Kivilevich added that – unlike the attack on SEPA on Christmas Eve – there is no evidence at this point in time of any data belonging to UHI having been posted on the dark web following the ransomware attack. In SEPA’s case data that had been extracted in the ransomware attack began to be released in stages around three weeks after the initial compromise.
UHI did not respond to our inquiry but a statement read: “We are dealing with an ongoing cyber security incident which has impacted on our key systems and services at all campuses.
“Our IT staff are working hard to minimise disruption particularly because most students and staff are currently working online due to Covid-19 restrictions. Our regional and local business continuity plans have been enacted and we are currently receiving cyber assistance from the relevant authorities including Police Scotland and the Scottish Government.”
A National Cyber Security Centre spokesman added: “We are supporting the University of Highlands and Islands partnership and working with the organisation and partners to fully understand the impact of this incident. The University says that it does not believe that personal data has been affected.
“The NCSC works closely with the academic sector to help raise awareness of the cyber threat and improve its resilience.”
Women Lead: My journey from Dragons’ Den to Silicon Valley
Following her appearance on Dragons’ Den, Sheila Hogan, serial entrepreneur, founder and chief executive of digital legacy vault, Biscuit Tin, shares her experience of her time in the Den and…
Look anywhere – the future is ‘aged tech’. But Scotland needs to be more adventurous
Scottish Care, as the representative body of independent social care providers of care home, care at home and housing support services, has been working over several years with colleagues in…
Women Lead: Engineer turned entrepreneur
We are always fascinated by other people’s stories. It’s how we connect, grow and learn from each other. Until very recently I always felt like I didn’t have a story to tell. Who…
It’s time to change the future of tech apprenticeships – and we need your help
In his latest exclusive column for Futurescot, Ross Tuffee, chair of the Skills Development Scotland (SDS) Digital Economy Skills Group, calls on tech employers to get involved in shaping the…
What AI difference a year makes
Amazingly, it’s been one year since the publication of Scotland’s AI Strategy. And what a year it has been. Demanding but rewarding, with good progress made and great foundations laid…
International Women’s Day: It’s time to harness power of women in technology
As we celebrate International Women’s Day, I hope to be part of a future where barriers that prevent women from competing on a level playing field in the work environment…
NHS Scotland CEO: ‘Digital approaches are vital to our recovery’
The last two years have been the most challenging that the NHS in Scotland has ever lived through. I am enormously proud of the way in which staff across our…
Public Health Scotland’s data and intelligence response to Covid-19
As a Public Health Scotland (PHS) information analyst, I’ve had a front row seat to the data and intelligence response from our organisation to keep the public, leaders in government…