Cyber Incident Victim: Fachhochschule Münster
Date:
Jun 2022
Location:
Germany
Summary
A cyberattack targeted FH Münster, compromising its internal user administration system after repeated unauthorized network scans. Attackers gained access to a domain administrator account, stealing all names, email addresses, and password hashes. The institution disconnected its systems from external networks to contain the breach, collaborating with external security experts. Operational disruptions occurred during critical academic periods, requiring a mandatory password reset for 18,000 users via mailed one-time codes and subsequent implementation of multi-factor authentication. Recovery efforts involved over 130 staff members managing helplines and identity verification, with costs reaching six figures. The attackers were identified as professionals, though their motives remain undisclosed for investigative reasons.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The FH Münster cyber incident began with recurring unauthorized network scans detected from May 2022, when attackers used compromised university credentials to probe the intranet. IT security systems repeatedly flagged and blocked these activities, but new compromised accounts resumed scanning days later. On June 20, administrators identified critical anomalies involving the "lsass.exe" Windows process on a server, indicating unauthorized access to the Local Security Authority Subsystem Service. Forensic analysis confirmed attackers had obtained domain administrator privileges, granting full control over FH Münster’s network infrastructure, including access to all 18,000 active user accounts and associated email addresses. Password hashes—cryptographically scrambled representations of user credentials—were also exfiltrated, creating potential for offline decryption attempts. By June 21, the university’s crisis management team disconnected all external network access to contain the breach, maintaining internal operations like email and learning platforms while blocking all internet connectivity from campus.
External cybersecurity consultants verified the severity of the compromise within 24 hours, confirming data theft but no evidence of active attacker control over systems. Restoration efforts required a full password reset for all users, complicated by security constraints preventing online resets. One-time passwords were mailed to private email addresses or physical addresses, while 130 staff members operated a temporary hotline and in-person support stations to assist with credential recovery. The university implemented mandatory multi-factor authentication (MFA) for critical services during this period, requiring both new passwords and app-generated codes for external access. Systems resumed full external connectivity on July 2 after 12 days of isolation, with MFA remaining permanently enforced. The attack disrupted examination scheduling, student enrollment processes, and internal communications, requiring emergency web portals and manual coordination for academic operations. Financial costs reached six figures, primarily for external consulting services, though no ransom demands or attacker communications were reported. Post-incident analysis highlighted operational gaps in emergency communication channels, prompting plans for redundant notification systems and expanded cybersecurity training for students and staff.