Cyber Incident Victim: Consejo Superior de Investigaciones Científicas (CSIC)
Date:
Jul 2022
Location:
Spain
Summary
The Spanish National Research Council suffered a ransomware attack attributed to Russian actors, disrupting internet connectivity across its network for an extended period. The intrusion triggered defensive protocols that severed external access to prevent further spread, leaving over 75% of research centers offline for weeks and forcing staff to rely on mobile data for basic operations. Authorities confirmed no sensitive data was exfiltrated or encrypted during the incident, which mirrored attacks on other global research entities. This occurred amid heightened cybersecurity tensions in Europe following geopolitical conflicts, with Spain having previously elevated its national threat level due to anticipated sophisticated cyber operations from state-aligned groups.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 5 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The CSIC (Consejo Superior de Investigaciones Científicas), Spain's largest public research body, suffered a ransomware attack originating from Russia on July 16, 2022. The intrusion was detected two days later on July 18, prompting immediate activation of security protocols that severed internet connectivity across multiple affiliated centers to contain the threat. According to Spain's Ministry of Science and Innovation, the attackers failed to exfiltrate sensitive or confidential data despite successfully deploying ransomware, which typically encrypts systems to demand payment for decryption. By early August, only approximately 25% of CSIC centers had restored internet access as security teams continued containment measures, with full restoration expected in subsequent days. The incident mirrored attacks on other research institutions like Germany's Max Planck Institute and NASA in the United States, occurring amid heightened cybersecurity tensions following Russia's invasion of Ukraine earlier that year.
Operational disruptions persisted for weeks, with researchers at institutes like the Instituto de Química Física Rocasolano reporting reliance on mobile data for basic work functions due to disabled network infrastructure. Employees publicly criticized the extended disconnection as excessive for what authorities described as a "minor and localized" attack, noting telephone systems also remained inoperable. This incident followed multiple high-profile cyberattacks on Spanish entities, including March 2021 ransomware targeting the SEPE employment agency that forced a return to paper-based processes, and a March 2022 breach compromising 1.3 million Iberdrola customer records. Spain had elevated its national cybersecurity alert to level 3 (on a 5-tier scale) in March 2022 due to anticipated Russian cyber threats, establishing a dedicated cybersecurity committee under the National Cryptologic Center (CCN) to coordinate defenses. The CCN had previously warned about sophisticated persistent threats from Russian actors months before the Ukraine conflict escalated, highlighting systemic vulnerabilities across public and private sectors.