Cyber Incident Victim: Keuda
Date:
Nov 2022
Location:
Finland
Summary
A cyberattack targeted an educational organization, prompting immediate network and service shutdowns to limit damage. The incident caused intermittent outages during recovery efforts, disrupting dependent operations and requiring reorganization of computer-reliant teaching activities. Authorities, including data protection and cybercrime agencies, were notified, with an external cybersecurity firm assisting the investigation. While the attack's origin was swiftly identified, full impact assessment continued over subsequent days. Communication remained possible via email, Teams, and functional websites, though channels were initially restricted. Graduating students were prioritized to ensure certification despite disruptions. No evidence indicated compromised personal data or internal actor involvement. Service restoration progressed gradually, with ongoing updates provided through organizational channels.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 5 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 28, 2022, Keuda, a Finnish educational institution, experienced a cyberattack that forced the immediate shutdown of its network and service connections to limit further damage. The attack was detected that morning, prompting an investigation with a contracted cybersecurity firm and coordination with Finland’s Central Criminal Police, Data Protection Ombudsman, and Cybersecurity Center. Initial assessments indicated no compromise of personal data and ruled out accidental or malicious internal actions by staff or students as the cause. By November 29, Keuda confirmed the attack’s origin had been identified but emphasized ongoing efforts to determine its full scope and impact. Teaching continued through alternative learning environments, though network-dependent instruction required reorganization, with staff informing students of adjustments. Limited communication channels remained operational, including email (from keuda.fi addresses deemed safe if recipient security was intact), Microsoft Teams meetings, functional public websites, and standard enrollment/rekrrytoint processes via Kuntarekry.
Recovery efforts began immediately but faced prolonged disruptions. As of November 30, intermittent outages affected cloud services during restoration work, with full recovery expected to take time. By December 1, Keuda assured partners that graduation certificates for students nearing completion would be secured despite ongoing limitations. Network restrictions persisted through December 5, prohibiting devices from connecting to Keuda’s network, while sporadic cloud-service interruptions continued. Updates on December 7 and 12 noted gradual progress in restoration, prioritized graduation assurance, and temporary availability of student/personal devices for Office 365 access. Throughout the incident, Keuda maintained regular public updates via its website, emphasizing operational continuity in admissions, recruitment, and non-network-dependent activities. No ransom demands, attacker identities, or data exfiltration were disclosed in the available reports.