Update November 28, 2021
We update the situation regarding the data breach that hit TH Nürnberg at the beginning of the month.
On November 8th we had written to the university asking for a statement on the case, on November 25th we were given, via e-mail, this answer by the Head of Communication of the University. A statement that, however, had not added new details on the affair.
Hello Marco,
please understand that we cannot provide any detailed information about the cyber attack that hit TH Nürnberg.
You can find all public information in the press releases on our website www.th-nuernberg.de
Schöne Grüße,
Matthias Wiedmann
Leiter Hochschulkommunikation
And this is the current situation according to what we read in a post (in German language) published on the TH Nürnberg website on November 23rd.
https://www.th-nuernberg.de/de/news/4452-erfolgreicher-reset/
The statement said that the IT systems had been restored three weeks after the cyber attack and that most of the services had returned to work without restrictions, minor problems were still present in some isolated areas.
Die Systeme laufen wieder. Drei Wochen nach dem Hackerangriff auf die IT-Infrastruktur der TH Nürnberg sind die meisten Dienste wieder ohne Einschränkungen nutzbar. Nur in vereinzelten Bereichen kommt es noch zu Beeinträchtigungen.
In order to be able to access the university IT services again, the students and university staff were asked to change their passwords, the procedure was carried out in the presence, until then, the university’s IT would have severely limited access.
Some systems, such as the Moodle e-learning platform or VPN access, were not available for security reasons, and digital study or work from home for two weeks was only possible with major restrictions.
Der Aufwand war enorm: Innerhalb weniger Tage sollten alle Studierenden und Mitarbeitenden der TH Nürnberg persönlich an den Campus kommen, um ihre Passwörter für die Nutzung der Hochschuldienste zu ändern. Bis dahin musste die Hochschul-IT den Zugriff stark einschränken.
Systeme wie die E-Learning-Plattform Moodle oder der VPN-Zugang waren aus Sicherheitsgründen nicht erreichbar, das digitale Studieren oder Arbeiten aus dem Homeoffice über zwei Wochen nur unter großen Einschränkungen möglich
“Before we can, however, rehabilitate unrestricted access to the Internet from faculty and laboratory networks, we need to take more extensive security measures – said Dr. Hans-Peter Flierl, Head of Central Information Technology – This will be done in the next few years. days”.
Bevor wir allerdings auch den Internetzugriff aus den Fakultäts- und Labornetzen wieder uneingeschränkt freischalten können, müssen wir noch umfangreichere Absicherungsmaßnahmen treffen“, schildert Dr. Hans-Peter Flierl, Leiter der Zentralen IT. Dies werde in den nächsten Tagen erfolgen.
The press release continues with some details of the cyber attack
“On the night of November 1st there was a cyber attack on client computers of the TH Nürnberg network. We think that the data may have been encrypted and that a ransom may have been demanded for its decryption […] According to current status of the investigation, there was no data loss or manipulation.”
In der Nacht des 1. November war es zu einem kriminellen Cyberangriff auf Client-Rechner im Netzwerk der TH Nürnberg gekommen. Vermutlich sollten Daten verschlüsselt und für die Freigabe ein Lösegeld erpresst werden.
Allerdings konnte der Angriff rechtzeitig bemerkt und die Serverstände wieder auf einen Zeitpunkt vor dem Zwischenfall zurückgesetzt werden. Nach derzeitigem Ermittlungsstand kam es zu keinem Verlust und keiner Manipulation von Daten.
Our further research started with these latest statements from the University, we wanted to understand which ransomware group was behind the attack on the university’s IT systems, we also wanted to understand whether or not the cybercriminals had activated a negotiation with TH Nürnberg.
We were able to verify that the HiveLeaks ransomware group is behind the attack on the university’s IT systems, the university’s name has not yet been published on the cybercriminals’ blog. There is also a chat with two messages written by Hive, but there is no response from the university negotiator.
In the first message, dated November 8, Hive asks the hypothetical negotiator of TH Nürnberg
Hello and welcome to Hive.
How may I help you?
in the second message, on November 23, the cybercriminals write that the price for the decryption tool is [EDITED] $ in bitcoin.
To decrypt your files you have to pay $ [EDITED] in Bitcoin.
We were undecided whether or not to publish the information collected during our research, in the end we decided to publish them, giving those who read the opportunity to form their own opinion on the matter.
In the press release from the university it is clear that the current situation is no longer that of three weeks ago when all IT systems were blocked, in fact in the press release the TH Nürnberg states that the situation is back to normal except for some small sectors of the university.
We will continue to closely follow this case which has involved yet another educational institution.
Thanks: @ValeryMarchive e @ransomwaremap
Update November 8, 2021
We learn that the cyber attack on the IT structures of TH Nürnberg last November 1st also involved the Leonardo – Zentrum für Kreativität und Innovation.
Leonardo is a collaborative project between the TH Nürnberg, the Akademie der Bildenden Künste Nürnberg and the Hochschule für Musik Nürnberg, and offers the three universities support in the implementation of transdisciplinary projects. The aim is to promote professional exchange between the three universities by giving students and teachers access to other areas of knowledge.
In a tweet published on November 5th, @LeonardoZentrum writes that the cyber attack on TH Nürnberg caused technical restrictions that also affect Leonardo, and that their website, email and hotline are only available to a limited extent.
At this moment, both the Leonardo Zentrum website and the Hochschule für Musik Nürnberg are temporarily unreachable.
SuspectFile.com wrote an email to TH Nürnberg and Leonardo asking for a statement on the matter.
The article will be updated if we have new information on the case
On the night of November 1, a ransomware-type cyber attack hit the IT systems of the Technische Hochschule Nürnberg Georg Simon Ohm, a public university in the Land of Bavaria with over 13,000 students and nearly 2,000 teachers.
The news was made public by the university itself through a press release published on its website on November 4th. At the moment, the name of the criminal group and the methods of the attack are unknown, although some rumors suggest that access to the university’s computer networks may have occurred through a VPN client.
What is certain, however, is that a series of computers in the laboratories and some faculties were targeted by cybercriminals. The computer systems of the university administration, on the other hand, were not affected by the accident, at least this is what is stated in the note.
The press release from the TH Nürnberg also states that the cyber attack was detected and stopped quickly, that the servers could be restored to a moment before the incident. At present, the note continues, there would have been no data loss or manipulation.
IT systems will be reactivated gradually and full recovery should take place, according to IT experts, no earlier than the end of next week. Some inefficiencies still persist, such as the inability to receive or send e-mails through the university network, even access to the VPN client was interrupted as a precaution.
The State Office for Information Security and the State Criminal Police Office are dealing with the cyber attack.
Source: TH Nürnberg