Newcastle University students' data held to ransom by cyber criminals
Hackers are demanding money from the university in order not to leak student and staff data stolen in the attack.
Tuesday 8 September 2020 11:25, UK
Newcastle University is being held to ransom by cyber criminals in an attack which has been disrupting IT systems since the beginning of the month.
The cyber crime group behind the attack - known as DoppelPaymer - previously leaked documents online relating to Elon Musk's companies SpaceX and Tesla.
The criminals have posted stolen files from the university online and are threatening to release more, exposing student and staff data unless they receive a ransom payment, according to a post on Twitter and their darkweb site.
Newcastle University has alerted the UK's data watchdog, the Information Commissioner's Office, as well as the police.
In a statement on its website, the university said "it will take several weeks" to address the issues, and that many IT services will not be operating during this period.
A third party has been brought in to conduct an incident response investigation into the cyber attack, discovering the extent of the hack and the damage caused by the criminals.
Brett Callow, a senior researcher at ransomware specialists Emsisoft, told Sky News that the DoppelPaymer criminals use the malware to monetise their access to a victims' network.
The malware itself is similar to malicious software developed by a group called Evil Corp which has been sanctioned by the US Treasury and accused of working with the Russian intelligence services.
"What, if any, connection exists between the operators of DoppelPaymer and Evil Corp is not clear, but cooperation between the groups has been observed," said Mr Callow.
If a definitive connection existed between the groups then Newcastle University could be in breach of US sanctions if it paid the ransom.
"DoppelPaymer uses a double-pronged attack strategy in which the targets' data is exfiltrated prior to being encrypted.
"The threat of releasing the stolen data is used as additional leverage to pressure the target into meeting the criminals' demands," Mr Callow added.
"It's impossible for us to say what data may have been extracted during the attack. The small number fo documents that have been posted are simply a warning shot: the digital equivalent of a kidnapper sending a pinky finger," Mr Callow added.
A spokesperson for the UK's National Cyber Security Centre told Sky News: "We are aware of an incident affecting Newcastle University and are providing support.
"The NCSC works closely with the academic sector to improve its security practices and help protect them from threats," they added.
Newcastle University did not respond to Sky News' enquiries about whether it would pay the ransom to protect staff and students' personal data from being leaked online.
In a statement, a spokesperson said: "The investigation into the incident is still at an early stage.
"IT colleagues continue to work hard on the systems recovery plan, and to support the police and the National Crime Agency with their enquiries," they added.
"However, we will not be able to share further detail on the incident until this initial investigation has concluded."
They also confirmed: "The ICO and Office for Students was notified within 72 hours of the cyber incident being detected."
A spokesperson for the Department for Education said: "We understand that cyber attacks on universities are disruptive for students and staff.
"That is why we regularly work closely with the NCSC with other government departments, agencies and industry cyber specialists to continuously improve our understanding cyber-attacks in the education sector.
"It is imperative that student and staff data is secure. Every university must ensure their online security is as robust as possible to protect private data from cyber threats.
"We would also urge any institution to follow the world-leading cyber security advice provided by the NCSC on its website," they added.