University of Sunderland beefs up cyber security following attack and gives insight into likely cause

The University of Sunderland has revealed how it has beefed-up its cyber security since a debilitating attack in October 2021 which crippled the university’s online system.

The university’s Director of Technical Services, David Conway, also revealed that obtaining a registered user's login and password details to gain initial access to the system was probably the most likely cause of the breach.

Such was the extent of the impact of the infiltration that the university enlisted the help of cyber-security experts, CrowdStrike, who specialise in responding to such attacks as well as enhancing future protection.

David said: “Both the university and the police are still investigating the attack, but the most likely method of any attack is to obtain a username and password through a phishing exercise.

“This provides a first way into an online platform.

“The attack caused a lot of disruption with students and staff unable to log into our learning platform.

“We were also unable to access our other systems such as emails and our Teams meetings. We ran a full check and and no personal information had been accessed but there has inevitably been a financial impact.

“We are still dealing with insurance companies, but following the attack we have obviously had to spend money on increasing our cyber security.”

The attack took place on the first morning the whole of the university’s senior leadership team were in attendance following the most recent Covid restrictions.

This allowed them to act quickly to access the help of cyber-security experts, CrowdStrike.

The company’s European Field CTO, Zeki Turedi, said: “The most common form of attack is targeting a victim to get login details and passwords to gain access to a system.

“This can be through phishing emails but these criminal groups have now started making direct human contact with employees, calling them on the phone and claiming to be a fellow employee.”

So why did the attack take place?

The attack is still under investigation and so a definite motive has not yet been ascertained.

Zeki said: “Universities are common targets as they may have valuable research information that people want to access.

“However, the most common reason for an attack is financial gain through ransomware attacks which can cause massive disruption and the threat of accessing personal information.

“These criminal gangs will then demand a payment to allow organisations to get access back to their systems.”

Research carried out by CrowdStrike showed the average ransom payment is $1.79million.

Zeki said: “Infiltrators will sometimes access an organisations financial reports to look at what is a realistic ransom figure - although it’s always an amount which is very damaging for the organisation.

“It could be tens of thousands of pounds or even running into millions.”

David added: “It’s important to remember these organisations are often businesses and companies themselves with different departments.

“They will even offer a cyber attack service which people can pay for - it's very lucrative.

"In the end we never actually received a demand for any money."

How has the university’s cyber-security been improved?

Following the attack, CrowdStrike got the university’s IT system back up and running through a “forensic analysis” of what had taken place, alienating the infiltrator’s login and repairing systems.

Once back up and running, the university then faced the challenge of ensuring a similar breach doesn’t take place again.

David said: “We have rolled out a cyber-security training programme for staff and students about creating secure passwords and being aware of likely phishing attacks.

“It’s impossible for any university to employ its own staff to monitor cyber security 24/7, which is why we have enlisted the help of CrowdStrike.

Zeki added: “We provide the technology to improve cyber security but also monitor patterns of use 24/7 to see if there is any suspicious use.

“This could be looking at patterns of when people are logging in and identifying any unusual deviations from this or impossible travel times where you have a person logging in at one location and then the same login being used a short time later at a location it's impossible to have travelled to.”

Is a future attack likely?

David said: “There have been no cyber attacks since this incident and we are as secure as possible.”

Zeki added: “It is always difficult to say you are 100% secure. Attacks will always happen and there has been a massive explosion in this type of crime.

“What’s important is that you have a robust system in place and respond to any breaches as quickly as possible.” 

Organisations wanting support with their cyber-security can contact CrowdStrike via their website.