A penetration testing toolkit used by industry was adapted for use in the recent ransomware attack on a Scottish university, cyber security professionals have confirmed.

Cobalt Strike, used commonly by security researchers for legitimate purposes, was deployed in a sophisticated cyber attack mounted against the University of the Highlands and Islands at the beginning of March.

The ransomware incident was likely originated in the Eastern European or Baltic region and was described by HEFESTIS – the shared technology and information services group that works with Scottish colleges and universities – as a “polymorphic attack” featuring various malware components.

Those included Ryuk, a strain of ransomware that has been linked with many so-called ‘big game hunting’ attacks around the world, which target institutions with significant revenues for financial gain.

In this incident, which infected the network at UHI on March 5, although attackers were able to encrypt some parts of the network – and student and staff services were disrupted – they were mostly on premises and isolated quickly by IT workers. Most of the cloud-based services were unaffected, according to David Robertson, HEFESTIS’s regional Chief Information Security Officer for Fife College, North East Scotland College, UHI, University of Aberdeen, University of Dundee and APUC.

He said that the attack began with ‘shell activity’ – a piece of computer code or a script running on a server that enables remote administration – at around 3am, alongside attempts to encrypt parts of the network, some of which were successful, but many that were not.

IT teams responding to the incident managed to identify the malicious activity and quickly isolate parts of the network from further attempts to carry out what is known as ‘lateral spread’, whereby the malware is inserted into one part of the network and attackers look for ways to propagate the virus across the entire estate.

Unlike the recent ransomware attack on the Scottish Environment Protection Agency (SEPA), the attackers did not apparently attempt to steal data belonging to the university and tried to make a virtue of that kindness in their extortion attempts, which were described as classic “psy-ops”.

Robertson said: “The ransomware note was issued and it was propagated around the network but they do not appear to have been able to link the trigger information behind the ransom note. In other words you could read it but actually your system hadn’t been encrypted. You just basically got a ransom note. I think that’s down to the speed with which they shut down the command and control traffic down.

“There were some areas which were encrypted – those were on prem, on the network, and isolated very quickly. The isolation exercise was excellent and thorough. Because it was enacted so quickly the lateral spread was contained which is what everybody wants to do when they find this; it was recognised that there was still work to be done, restoring some of the compromised areas and getting all the forensics back but the business impact is fortunately in comparison to previous attacks, and certainly in comparison to SEPA, is minimal and well managed.”

He added: “It was Cobalt Strike tools that were used to actually infiltrate the network and accounts were created. Those accounts were privileged accounts with admin [rights]; those were used to compromise main controllers and to attack the active directory environment. That worked on-prem but it didn’t work off-prem, in other words the cloud position was solid and they were able to restore that and work from that. The network side of things has taken a lot more work, but that’s back up as well.”

Robertson described the response by UHI as the “best stand up” he’s seen and that the university – which operates across 13 college campuses across the north of Scotland – implemented a robust cyber security set of measures two years ago, with help from HEFESTIS, a membership organisation for IT professionals working in the higher and further education sector.

He said: “Two years ago I don’t believe the response from UHI would have been as robust. They have taken on board security risk management, prioritising activity, they put in multi-factor authentication, they put in encryption walls, put in a large sequence of measures to get to the point where they could actually handle this. And that’s something that’s really, really important because to learn the lessons of from this, it seems to be that UHI have been really, really good pupils, if you like.”

The incident is subject to an ongoing multi-agency probe by the National Cyber Security Centre (NCSC), Police Scotland and the Scottish Business Resilience Centre. Information has also been passed to the Scottish Government’s Cyber Resilience Unit, which has acted in an advisory capacity for local government organisations.

Attribution for such attacks is always difficult unless you have nation state-led intelligence, according to Jordan Schroeder – the Deputy Managing Director & Managing CISO at HEFESTIS and leads to unhelpful speculation, which gives rise to politics and nationalism.

As such, even though the attack may have originated in potentially two nation states, we have chosen not to reveal them unless there is official confirmation from the NCSC, police or other government sources.

In terms of how the attack came about, we previously revealed that there was a substantial number of both leaked credentials (LC) and compromised accounts (CA) belonging to UHI on dark web forums. KELA, a global darknet threat intelligence firm based in Israel, indicated there were over 8,000 ‘leaked credentials’ – including email addresses and sometimes passwords – belonging to UHI staff and students that have been leaked or stolen and possibly traded on underground web forums. A further 100-plus ‘compromised accounts’ were also found on malicious dark web sites.

Again, it would be speculation to say that such an exposure led directly to the UHI attack, but both Robertson and Schroeder are clear that threat intelligence and awareness of organisational exposure is an area which needs a far greater level of focus and investment.

Schroeder said: “I’ve worked in threat intelligence at a major global financial institution and I worked at a project at Scottish Government called the Cyber Scotland Shield which is designed to make threat intelligence more approachable for the public sector and HE-FE in Scotland. The problem isn’t the access to information, as there’s a lot of information, the problem is resourcing.

“You have so many HE-FE institutions who have maybe a quarter of a person dedicated to security and that time is dedicated to putting out fires. It’s not about being able to look ahead to be able to get that perspective. It’s the time, the skills and the expertise to go through data, filter it, make sense of it and turn it into something actionable that the organisation can deal with, and this is the problem.” The Cyber Scotland Shield – an HEFESTIS project sponsored by the Scottish Government’s Cyber Resilience Unit – has also added to the threat intelligence landscape to provide “faster, more actionable” information between institutions.

Schroeder adds: “So, for instance, if an institution got hit with malware from a certain IP address or port, that information could be instantly propagated across to everybody else and even to automate the defences and the firewalls to automatically block those, so as soon as a threat comes in from one institution all institutions can raise the shield against that.”

HEFESTIS – HE/FE Shared Technology & Information Services – offers both CISO-as-a-Service and DPO-as-a-Service [Data Protection Officer] to universities and colleges across Scotland and the information sharing between institutions is good and the sector is well organised, according to Robertson.

He said: “It is a close community. But at the same time we’ve all been experiencing the pressures of Covid, and going through these similar challenges. What I would say though is that we do need to wake up. This should be in the top three risks for any university or college in the United Kingdom and if you’re not treating it as such, your risk register is wrong.

“You can put down the threat of terrorist attacks or a fire; but if a building burns down, you build a new one and get on with it. But if a cyber attack happens you could be down for six months or a year, and you may never recover.”

He said also that there needs to be more leadership at board level which has the technical expertise to respond to such incidents. According to research giant Gartner by 2025, 40% of boards of directors will have a dedicated cybersecurity committee overseen by a qualified board member, up from less than 10% today.

Robertson said: “People who understand the systems that underpin all of the activity of the organisation are not promoted to CEO level – they’re promoted to CIO level and then it’s somebody else’s problem. It’s why there’s so much stress right across the cyber security area. Anybody who rises the top in IT is too vital in their role – to keep things going – to actually take a leading role in that organisation. That needs to change.”