MTU cyber breach: Probe after ransomware attacks 'like a murder investigation'

The vice president for finance and administration at MTU, Paul Gallagher, confirmed the breach was caused by ransomware that had potentially been working through its IT systems for weeks.

The university has notified the Data Protection Commissioner and has been in “close contact” with gardaí, the National Cyber Security Centre, and other authorities following the “significant” IT breach.

The college is preparing for a phased reopening of the Cork campuses next week, but there are concerns the attack could be worsened by allowing access to thousands of onsite computers.

“The worst thing we can do is rush this; that could make matters worse,” Mr Gallagher said.

When asked the size of the ransom demand, Mr Gallagher declined to comment, but he did acknowledge that a demand had been found encoded in one of the servers.

“We have not engaged, we are taking advice from the National Cyber Security Centre.

“We’re in a strong position, we can restore the system ourselves.

The difficulty is actually getting into the system because the first thing that is attacked is your security and your network management system, and it is encrypted in those systems. So it took us some time to get those back and to understand the full extent of the attack.

“We were very lucky in that we intercepted this at an early stage, which puts us in quite a strong position actually. We have very good backup in place, so we did discover a ransom demand encoded in one of the servers, but we haven't engaged directly at this stage at all with the ransom," he told RTÉ.

However, the ransom demanded by cyber hackers may pale as a problem in comparison to the potential for sensitive data having been stolen, warned Ronan Murphy, executive chairman of Cork-based cybersecurity firm Smarttech247.

Mr Murphy said that remedying a ransomware attack involves forensic investigation, like solving a murder.

It’s like a murder investigation. You need forensic engineers who can come in and trace the fingerprints around the network and understand what happened while they were there.

“Depending on how widely embedded they were in the network, you can have several, fairly sophisticated data security forensic engineers involved in this process.

"It's quite a time-consuming process because you have to try to figure out how they broke in, where they went, and what they took.

“Did they leave any back doors open that enable them to successfully compromise the situation further?

“What kind of data did they steal? What are the regulatory repercussions for the organisation based on whatever data was potentially taken? Are they secure from this happening again?

“It's a very lengthy process that they now have to engage in as an organisation. It is not trivial. And I would say it’s quite painful."

Mr Murphy said that the process is not straightforward and can take some time. He pointed to the 2021 ransomware attack on the HSE as an example which continues to have repercussions today. 

The Public Accounts Committee heard last Friday how, although the State refused to pay the hackers, the long-term costs of the attack could rise to €500m. More than 32,000 notification letters have been issued to people who had their data stolen in the attack and more than 100,000 notifications are to be issued by April.

Explaining the process of a ransomware attack, Mr Murphy said: “The ransoms all are typically on timers. The bad guys try to pressurise you into paying. 

"So they say, ‘if you pay €100,000 right now, we’ll give you the encryption keys and you get your data back. But every six or 12 hours that passes that goes up by 50%’. 

“But that’s not so much the problem I would say, because most companies now have effective restore mechanisms, they have good back-ups of the data. So where the real problem in fact exists, depending on how long they’ve been in the network, is that they tend to exfiltrate data off the network, like what happened with the HSE.

“And that’s where the problem lies, depending on what they decide to do with that data. 

"Depending on the sensitivity of it, they can try to hack the people whose data they’ve stolen, they can try to extort them, there’s a whole pile of nefarious activities around that data. 

"That’s why the whole data piece is such a worry and why it’s such a problem for the HSE, people who’ve had medical records stolen, there’s obviously a fallout from that."

EU organisations are required under law to notify the Data Protection Commissioner when a breach takes place and to notify the people whose data has been compromised within very stringent timelines, Mr Murphy said.

“So they will notify the Data Protection Commissioner, they’ll then conduct a forensic investigation to try to understand what has happened, and they’ll try to notify the people whose data has been affected, and what type of data has been affected.

If it’s your name and your email address it’s no big deal. But if it’s your name, your email address, your social security number, maybe your credit card details, that’s a completely different set of circumstances. "And you’d hope in that type of scenario, that the quicker you’re notified, the better," he said.