Did ‘exposed’ data on dark web lead to ransomware attack on Scottish university? 

Police and national cyber experts are investigating after a Scottish university – which had thousands of leaked email addresses, passwords and ‘compromised accounts’ posted on the dark web – fell victim to a ransomware attack.

The University of the Highlands and Islands (UHI) is the latest body to be targeted after hackers infiltrated systems earlier this month. Spread across 13 campuses in the north of the country, UHI closed its facilities to students and staff on March 8 as it dealt with an incident that impacted ‘key systems and services’. The hack comes three months after the devastating ransomware attack on the Scottish Environment Protection Agency (SEPA) but is not believed to be as severe.

The university said in a statement that it “did not currently believe personal data had been affected”.

However, our investigation carried out with the help of KELA, a global darknet threat intelligence firm based in Israel, revealed that UHI data has previously been posted on darknet sites, and may have been used by hackers to mount the attack.

According to its analysis, there are over 8,000 ‘leaked credentials’ – including email addresses and sometimes passwords – belonging to UHI staff and students that have been leaked or stolen and possibly traded on underground web forums. A further 100-plus ‘compromised accounts’ were also found on malicious dark web sites, including one that indicated access to Active Directory Federation Services – a software component developed by Microsoft – ‘probably related to internal systems’, according to KELA.

Victoria Kivilevich, threat Intelligence analyst at KELA, stressed that the leaked credentials and compromised accounts were not necessarily connected to the ransomware attack. However she said: “They just show what opportunities the cyber-criminals have in targeting these institutions.”

Leaked credentials are raw information belonging to individuals online, for example an email account or password, and can lead to hackers carrying out phishing attacks. A compromised account is evidence of a machine infected with information-stealing trojans such as AZORult, Vidar, Racoon and others. These machines contain saved credentials and personal information – for example an email and password coupled with a specific link to a website login page – belonging to either employees, clients, or partners; therefore, if purchased by threat actors, they can put the organisation at “serious risk”.

In the case of universities, leaked credentials may belong not just to employees, but also to students depending on the university’s policy of assigning emails. In a service status update, the university produced a green, amber and red guide to what services were currently available. According to the guide, several key systems including the MyUHI portal – a remote access platform to network drives, files and applications – was marked red, meaning it was unavailable due to the cyber incident. Other services downed by the attack included access to printing.

Kivilevich added that – unlike the attack on SEPA on Christmas Eve – there is no evidence at this point in time of any data belonging to UHI having been posted on the dark web following the ransomware attack. In SEPA’s case data that had been extracted in the ransomware attack began to be released in stages around three weeks after the initial compromise.

UHI did not respond to our inquiry but a statement read: “We are dealing with an ongoing cyber security incident which has impacted on our key systems and services at all campuses.

“Our IT staff are working hard to minimise disruption particularly because most students and staff are currently working online due to Covid-19 restrictions. Our regional and local business continuity plans have been enacted and we are currently receiving cyber assistance from the relevant authorities including Police Scotland and the Scottish Government.”

A National Cyber Security Centre spokesman added: “We are supporting the University of Highlands and Islands partnership and working with the organisation and partners to fully understand the impact of this incident. The University says that it does not believe that personal data has been affected.

“The NCSC works closely with the academic sector to help raise awareness of the cyber threat and improve its resilience.”