Exclusive
As of: 01/13/2023 4:56 p.m
The hacker group “Vice Society” has claimed responsibility for the cyber attack on HAW Hamburg. According to information from ARD political magazine contrasts she threatens to publish captured data. US security authorities suspect the attackers in Russia.
By Sascha Adamek and Daniel Laufer, rbb
The WLAN is switched off, as are most of the computers – for security reasons. Nothing works anymore on the campus of the state-owned University of Applied Sciences (HAW) in the south of Hamburg. Since a cyber attack in December, students and professors have not even been able to get to their e-mails.
Worse still, there are concrete indications that data from them could soon end up on the Internet. According to information from ARD political magazine contrasts the attackers left a text document on the HAW server: “All your files were encrypted by the ‘Vice Society’,” it says in incorrect English.
In order to undo this – to be able to decrypt the files again – the university should send the hacker group an e-mail and pay an unspecified amount. “If you don’t contact us within seven days, we will upload the files to the dark web,” the attackers claim. That was just after Christmas.
Malicious code spares Russian computers
Little has happened since then. But there is little doubt that the threat is serious. contrasts was able to view a number of records obtained by “Vice Society” from previous forays. The group then struck at least eight times in Germany.
According to its own account, “Vice Society” has attacked well over a hundred targets in mostly Western countries since 2021 – including banks, public administrations and companies from the health sector. According to an FBI statement, the group is “disproportionately focused on the education sector.” The US federal police suspect her in Russia.
Apparently country specific attack
There may also be a trail that leads there during the attack in Hamburg: According to HAW, a variant of a program known as “Zeppelin” was used. Security researchers investigated it years ago and found that the software checks the computer’s language and locale.
A possible indication of the origin of the developers: The malicious code is only executed when the program thinks its attack target is outside of Russia, Ukraine, Belarus and Kazakhstan – otherwise the files remain unencrypted. However, “Zeppelin” is older than “Vice Society”, the group probably didn’t write the program themselves. It is known that it uses different types of malware for its attacks.
Cyber attack might have started with phishing email
In the meantime, the HAW has filed a complaint. Your spokesman did not want to comment on the group’s claim “for reasons of investigation tactics”. She takes after contrasts-Information apparently indicates that the attackers initially obtained access data to an ordinary user account. There may be a connection between the attack with the “Zeppelin” malware and an incident that had worried the IT department three weeks earlier.
At the time, in an internal letter, she had contrasts been warned of a so-called phishing e-mail. In this scam, attackers try to use fake senders to obtain access data for user accounts. The phishing email asked recipients to enter their HAW password on a website that was not owned by the HAW.
According to its spokesman, the university noticed the attack on December 27th. “Vice Society” apparently made its way through the network. The group gained administrator rights and penetrated to the central storage system, encrypting files and deleting backup copies.
Apparently a few hours were enough
During the Christmas attack, “Vice Society” is said to have made its way through the network. The attack probably only lasted a few hours. When the HAW took countermeasures and shut down their system, the attackers had apparently long since obtained administrator rights, penetrated to the central storage system, encrypted files and deleted backup copies.
A spokesman for HAW said contrasts, overall a “significant amount of data was lost”. According to a statement on the university’s website, the university assumes that the attackers also stole personal data from students and employees. In addition, it may have been possible “in individual cases to read passwords from accounts remote from the university, such as those from Amazon, Ebay, etc.”. A few members of the university have reported that strangers have already tried to register on their behalf on other websites.
Highly sensitive data published on the dark web
The HAW could soon fare similarly to the administration of Witten, whose systems “Vice Society” penetrated in October 2021. Highly sensitive data was captured there, which the administration had not adequately protected. For example, the detailed report on a sexual assault that is said to have occurred in the North Rhine-Westphalian city is now available. The full name of the person concerned should also be read. “We don’t care about the law,” writes Vice Society on its website. “We always publish everything.”
The hackers broke into the city of Suhl in Thuringia in March 2022. Among other things, the group published an overview of information from the register of residents that the regulatory office had obtained – in connection with a gun permit.
District authority also affected
The Rhine-Palatinate district administration fell victim to “Vice Society” in October 2022. 3691 citizens were “affected to a greater extent by the data theft,” said the authority contrasts with. It is now possible to download the identity papers of people who have apparently fled Ukraine since the beginning of the war. Officials had saved scans of the documents.
A password was also lost, with which the district administration could log into the “Katwarn” information system. This access was blocked before the data was published: suspicious activities had already been identified. “Katwarn” can be used to send disaster reports to the population.