Did ‘exposed’ data on dark web lead to ransomware attack on Scottish university?
Police and national cyber experts are investigating after a Scottish university – which had thousands of leaked email addresses, passwords and ‘compromised accounts’ posted on the dark web – fell victim to a ransomware attack.
The University of the Highlands and Islands (UHI) is the latest body to be targeted after hackers infiltrated systems earlier this month. Spread across 13 campuses in the north of the country, UHI closed its facilities to students and staff on March 8 as it dealt with an incident that impacted ‘key systems and services’. The hack comes three months after the devastating ransomware attack on the Scottish Environment Protection Agency (SEPA) but is not believed to be as severe.
The university said in a statement that it “did not currently believe personal data had been affected”.
However, our investigation carried out with the help of KELA, a global darknet threat intelligence firm based in Israel, revealed that UHI data has previously been posted on darknet sites, and may have been used by hackers to mount the attack.
According to its analysis, there are over 8,000 ‘leaked credentials’ – including email addresses and sometimes passwords – belonging to UHI staff and students that have been leaked or stolen and possibly traded on underground web forums. A further 100-plus ‘compromised accounts’ were also found on malicious dark web sites, including one that indicated access to Active Directory Federation Services – a software component developed by Microsoft – ‘probably related to internal systems’, according to KELA.
Victoria Kivilevich, threat Intelligence analyst at KELA, stressed that the leaked credentials and compromised accounts were not necessarily connected to the ransomware attack. However she said: “They just show what opportunities the cyber-criminals have in targeting these institutions.”
Leaked credentials are raw information belonging to individuals online, for example an email account or password, and can lead to hackers carrying out phishing attacks. A compromised account is evidence of a machine infected with information-stealing trojans such as AZORult, Vidar, Racoon and others. These machines contain saved credentials and personal information – for example an email and password coupled with a specific link to a website login page – belonging to either employees, clients, or partners; therefore, if purchased by threat actors, they can put the organisation at “serious risk”.
In the case of universities, leaked credentials may belong not just to employees, but also to students depending on the university’s policy of assigning emails. In a service status update, the university produced a green, amber and red guide to what services were currently available. According to the guide, several key systems including the MyUHI portal – a remote access platform to network drives, files and applications – was marked red, meaning it was unavailable due to the cyber incident. Other services downed by the attack included access to printing.
Kivilevich added that – unlike the attack on SEPA on Christmas Eve – there is no evidence at this point in time of any data belonging to UHI having been posted on the dark web following the ransomware attack. In SEPA’s case data that had been extracted in the ransomware attack began to be released in stages around three weeks after the initial compromise.
UHI did not respond to our inquiry but a statement read: “We are dealing with an ongoing cyber security incident which has impacted on our key systems and services at all campuses.
“Our IT staff are working hard to minimise disruption particularly because most students and staff are currently working online due to Covid-19 restrictions. Our regional and local business continuity plans have been enacted and we are currently receiving cyber assistance from the relevant authorities including Police Scotland and the Scottish Government.”
A National Cyber Security Centre spokesman added: “We are supporting the University of Highlands and Islands partnership and working with the organisation and partners to fully understand the impact of this incident. The University says that it does not believe that personal data has been affected.
“The NCSC works closely with the academic sector to help raise awareness of the cyber threat and improve its resilience.”
The pandemic has taught me how to share more – and I feel a better leader for it
As a young professional starting out in the tech sector 30 years ago, I thrived on the fast pace,constant change and demanding workload. I lived in London, Singapore and Australia…
We need to shout about our successes. Liz Fletcher on celebrating women in biotech
Throughout my career in biotechnology and life sciences, I have seen many women leading ground-breaking research studies in their fields of expertise. Yet, and I include myself in this, we…
Getting the best out of patient data is key to unlocking future health benefits in Scotland
It is important that clinicians’ voices are heard in the consultation around Scotland’s new health and care data strategy, which closes this week (12 August). Busy GPs like myself are the trusted…
How motherhood helped me be a better leader
Consider this an open letter to anyone I have worked with before I became a mother and before I fully understood how being a parent is actually a prized asset…
‘We cannot achieve our goals without entrepreneurs’ – Kate Forbes on vision for new ‘tech scaler’ network
From the very start of my ministerial career, I have had responsibility for the Scottish tech sector – and I can still say what I have said from the start,…
Finding a role in cyber was ‘tough’ for Cheryl Torano. Now she’s determined to help other women join an under-represented industry
When I decided to upskill to change careers at the age of 30 and dive into the digital world, I knew I would be starting out at the bottom of…
Why innovation and marketing are the perfect partners to make changes that matter￼
With the rapid evolution of traditional marketing and the appearance of digital marketing, technology and innovation has become part of any marketer’s life without the need of working for a…
Transitioning to a four-day week – CEO’s vow to strike a healthier balance in the workplace
I came to Scotland nearly 20 years ago from Ireland, with no contacts but a lot of determination. While Ireland will always be my home, Scotland has given me amazing…