Cyber incident at Dutch university highlights ongoing elevated threat to higher education institutions

Written By fra juniper

Event:

On 20 January, Dutch university TU Eindhoven announced that teaching activities had resumed, following a week of disruption caused by a cyber incident [LINK].

Assessment:

TU Eindhoven first announced that it had experienced a cyber incident on 12 January, when it stated that it had shut down its network as part of the incident response. The authorities have stated that they have not found any evidence of data theft [LINK].

Media coverage has centred on TU Eindhoven’s role as a ‘feeder’ university for Dutch company ASML, a critical manufacturer of lithography equipment used in the manufacture of cutting-edge semiconductor devices [LINK, LINK]. However, TU Eindhoven university authorities have not given any indication of the likely motivation behind the attack. The higher education sector has experienced an increase in ransomware incidents globally, with little indication of attackers prioritising particular institutions [LINK]. 

Separately to the incident at TU Eindhoven, since 15 January, SURF, the co-operative of Dutch educational and research institutions that provides IT services for its members, has reported a series of distributed denial of service (DDoS) attacks on its network [LINK]. SURF indicated that the volume of traffic involved in these incidents was unusual and was leading to some disruption of services. 

The timing of the DDoS attacks and the intrusion at TU Eindhoven may be coincidental, but there is a precedent for groups coordinating denial of service with more targeted intrusions. In February 2024, the network operated by the UK equivalent of SURF, Jisc, was targeted by a larger-than-usual DDoS attack, leading to disruption at several UK universities [LINK]. Subsequent reporting indicated that the impact at one institution was more severe than the temporary disruption that would be expected from a DDoS incident [LINK].

Outlook:

The higher education sector will continue to experience high levels of targeting by criminal actors seeking to extort payment and by states and companies engaged in IP theft and espionage. Criminals will target institutions indiscriminately, recognising that federated and under-resourced universities are unlikely to have strong cyber security protections. 

Universities and research institutions engaged in research at the cutting edge of technology are at greater risk of targeting for intelligence collection. However, given the level of interconnection and openness within higher education institutions, even universities not engaged in such research may be targeted as a source of initial access.

Countries such as Russia tolerate the activities of ransomware groups and have, at times, co-opted the activities of these groups to support other activities [LINK]. As great power competition over technology intensifies, there is an increasing likelihood thatparts of the ransomware ecosystem will be co-opted by state actors to support the theft and disruption of research viewed as critical to national security. 

Tyburn Associates specialises in incident response and digital resilience for organisations, including in the higher education and broader public sectors. As part of the Tyburn St Raphael group, we support entities through digital crises, including ransomware, fraud, and online threats. 

If you have any questions or would like to get in touch, please contact info@tyburn-str.com. If you are experiencing an incident, our emergency contact number is +44 2045 722 332. 

fra juniper
Previous

Five common pitfalls to avoid as an intelligence analyst
Next

Extension of UK ransomware payment ban would bring additional challenges for victim organisations and incident responders