Did ‘exposed’ data on dark web lead to ransomware attack on Scottish university?

Our probe finds cache of over 8,000 leaked credentials and compromised accounts on underground forums


Police and national cyber experts are investigating after a Scottish university – which had thousands of leaked email addresses, passwords and compromised accounts posted on the dark web - fell victim to a ransomware attack. The University of the Highlands

and Islands (UHI) is the latest body to be targeted after hackers infil- trated systems earlier this month. Spread across 13 campuses in the

north of the country, UHI closed its fa- cilities to students and staff on March 8 as it dealt with an incident that impacted ‘key systems and services’. The hack comes three months

after the devastating ransomware attack on the Scottish Environment Protection Agency (SEPA) but is not believed to be as severe. The university said in a statement

that it “did not currently believe personal data had been affected”. However, our investigation carried

out with the help of KELA, a global darknet threat intelligence firm based in Israel, revealed that UHI data has previously been posted on darknet sites, and may have been used by hackers to mount the attack. According to its analysis, there

are over 8,000 ‘leaked credentials’ – including email addresses and passwords - belonging to UHI staff and students that have been leaked or stolen and possibly traded on underground web forums. A further 100-plus ‘compromised accounts’ were also found on malicious dark web sites, including one that indicated access to Active Directory Federation Services – a software component developed by Micro- soft - ‘probably related to internal systems’, according to KELA. Victoria Kivilevich, threat Intelli- gence analyst at KELA, stressed that

the leaked credentials and compro- mised accounts were not necessarily connected to the ransomware attack. However she said: “They just

show what opportunities the cyber- criminals have in targeting these institutions.” Leaked credentials are raw

information belonging to individuals online, for example an email account or password, and can lead to hack- ers carrying out phishing attacks. A compromised account is evidence of a machine infected with information- stealing trojans such as AZORult, Vidar, Racoon and others. These machines contain saved credentials and personal information belong- ing to either employees, clients, or partners; therefore, if purchased by threat actors, they can put the organisation at “serious risk”. In the case of universities, leaked

credentials may belong not just to employees, but also to students depending on the university’s policy of assigning emails. In a service status update, the

university produced a green, amber and red guide to what services were currently avaialbe. According to the guide, several key systems including the MyUHI portal – a remote access platform to network drives, files


and applications - was marked red, meaning it was unavailable due to the cyber incident. Other services downed by the attack included ac- cess to printing. A UHI statement read: “We are

dealing with an ongoing cyber secu- rity incident which has impacted on our key systems and services at all campuses. “Our IT staff are working hard

to minimise disruption particularly because most students and staff are currently working online due to Covid-19 restrictions. “Our regional and local business

continuity plans have been enacted and we are currently receiving cyber assistance from the relevant authorities including Police Scotland and the Scottish Government.” A National Cyber Security Centre

spokesman said: “We are support- ing the University of Highlands and Islands partnership and working with the organisation and partners to fully understand the impact of this incident. The University says that it does not believe that personal data has been affected.” “The NCSC works closely with

the academic sector to help raise awareness of the cyber threat and improve its resilience.”l

Students and staff at UHI have been impacted by the ‘cyber incident’

From Penny

Black to digital stamps

Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44