All computer systems are vulnerable, this is the first lesson. And cybercrime takes advantage of their mistakes, which in these times likes to kidnap data in order to collect ransom for releasing them. The episode experienced in 2021 by the Autonomous University of Barcelona (UAB) can be described as exemplary: with the valuable help of its suppliers Dell and Fortinet, the UAB managed to restore services without paying the attackers. In the words of Gonçal Badenes, ICT director of the center, “it was a devastating experience, but at least it gave us an opportunity to make an update in a few weeks that we had planned to do more calmly”.
The account of the events cannot be separated from a crucial circumstance: unlike any private company, which is still a closed and controllable environment, a university's mission is to serve a mass of volatile users and it is assumed, less disciplined in security matters. In other words: find a balance between security and flexibility. In addition, they often have equipment installed years ago and, for various reasons, cannot be replaced at will.
Badenes evokes other times when cybersecurity did not exist as a problem: “we connected with colleagues and classmates, at the university itself or in others, on friendly networks; for us it was unimaginable that someone could get hold of the data. Now, instead, we start from the premise that any user of the network is a source of vulnerability and that all systems are fallible in principle”.
In last year's incident, "the illegitimate access vector was a user whose credentials were captured by criminals after falling into a trap (phishing) and revealing their ID and password." That ordinary user, without access privileges, allowed them to track through the network.
“They went into the kitchen –summarizes Badenes–, both to analyze the network, its service levels and the connected devices. The hackers found a hole through which to penetrate a server and camouflage themselves as system administrators. As everything that is done on a computer leaves its mark, today we know that they worked for three weeks, always at dawn. They knew very well what they were doing, they had resources and, without a doubt, they were after us.”
As revealed by the forensic analysis carried out, the objective of the attack was twofold: block the data and disable the backup copies that they could access. "They didn't expect that we would be able to recover a pristine backup with Dell's help."
Badenes underlines the role of this company, provider of storage equipment and part of the servers installed at the UAB. Also from Fortinet, which made it easy to set up a clean parallel system without having to touch the one under investigation. "After the initial shock, you feel pressured to resume service as soon as possible, but experts recommend doing nothing until the forensic phase is complete, from which critical information is extracted to understand what has happened."
The UAB did not come into contact with the attackers, he points out. “We were clear that it was not ethically correct and that, on the other hand, the payment would have another harmful effect: we would enter a list that circulates among criminals and make us attractive for new attacks. Also, the recovery effort would have had to be done anyway, even after paying."