Newcastle University held to ransom by cyber criminals
Written by on 7 September 2020
Newcastle University is being held to ransom by cyber criminals in an attack which has been disrupting IT systems since the beginning of the month.
The cyber crime group behind the attack – known as DoppelPaymer – previously leaked documents online relating to Elon Musk’s companies SpaceX and Tesla.
The criminals have posted stolen files from the university online and are threatening to release more, exposing student and staff data unless they receive a ransom payment, according to a post on Twitter and their darkweb site.
The university says it has alerted the UK’s data watchdog, the Information Commissioner’s Office, as well as the police.
In a statement on its website, the university said “it will take several weeks” to address the issues, and that many IT services will not be operating.
The university said it had brought in a third party to conduct an incident response investigation into the cyber attack, discovering the extent of the hack and the damage caused by the criminals.
Brett Callow, a senior researcher at ransomware specialists Emsisoft, told Sky News that the DoppelPaymer criminals use the malware to monetise their access to a victims’ network.
The malware itself is similar to malicious software developed by a group called Evil Corp which has been sanctioned by the US Treasury and accused of working with the Russian intelligence services.
“What, if any, connection exists between the operators of DoppelPaymer and Evil Corp is not clear, but cooperation between the groups has been observed,” said Mr Callow.
If a definitive connection existed between the groups then Newcastle University could be in breach of US sanctions if it paid the ransom.
“DoppelPaymer uses a double-pronged attack strategy in which the targets’ data is exfiltrated prior to being encrypted.
“The threat of releasing the stolen data is used as additional leverage to pressure the target into meeting the criminals’ demands,” Mr Callow added.
“It’s impossible for us to say what data may have been extracted during the attack. The small number fo documents that have been posted are simply a warning shot: the digital equivalent of a kidnapper sending a pinky finger,” Mr Callow added.
Newcastle University did not respond to Sky News’ enquiries about whether it would pay the ransom to protect staff and students’ personal data from being leaked online.
In a statement, a spokesperson said: “The investigation into the incident is still at an early stage.
“IT colleagues continue to work hard on the systems recovery plan, and to support the police and the National Crime Agency with their enquiries,” they added.
“However, we will not be able to share further detail on the incident until this initial investigation has concluded.”
They also confirmed: “The ICO and Office for Students was notified within 72 hours of the cyber incident being detected.”