Cyber Incident Victim: Universität Graz
Date:
Feb 2023
Location:
Austria
Summary
The Universität Graz experienced a cyberattack where unauthorized actors gained access to its IT systems via a compromised student account. The intrusion was detected during a routine security check, prompting immediate containment measures including network segmentation, system shutdowns, and activation of multi-factor authentication (MFA) for critical services. External cybersecurity experts assisted in forensic analysis and mitigation, confirming the attack vector while preventing further malicious activities like potential data encryption. Core academic operations remained functional with VPN and MFA requirements for off-campus access, though temporary disruptions affected student file services and telephony systems. No ransomware demands or leaked data were reported, but investigations into potential data exfiltration continued. The university emphasized enhanced security protocols, including MFA adoption by over 24,500 users, to restore and stabilize its network.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Universität Graz detected unauthorized access to its IT systems during a routine security check on February 3, 2023. External IT forensic experts were immediately engaged to analyze the breach, and authorities were notified for criminal investigation. Initial disruptions included the unavailability of the student file service and anticipated telephone system impairments starting February 6. The intrusion originated from a foreign IP address via a compromised student account, though the exact initial entry point remained under investigation. Attackers deployed malware intended to infect the entire network, but the university’s intrusion detection system identified the threat within hours. Critical containment measures included isolating backup systems to preserve data integrity, erecting virtual network boundaries to restrict attacker movement, and gradually shutting down hundreds of IT services over the ensuing weekend.
By February 7, core IT functions had been restored with minor restrictions, though forensic analysis of individual systems continued. The university implemented mandatory multi-factor authentication (MFA) for all off-campus access to UNIGRAZonline, email, and other platforms via VPN, extending the course registration deadline to February 22 to accommodate security adjustments. As of February 10, investigators confirmed the attack vector and reactivated major systems with enhanced MFA protections resembling online banking security. No ransomware demands or data leaks on dark web markets were observed, though data exfiltration could not be ruled out; any stolen data was believed to be encrypted. Collaborative efforts with cybersecurity firm Grant Thornton Austria and K-Businesscom neutralized subsequent attacker countermeasures after initial containment. By February 23, 21,069 students and 3,452 staff had adopted MFA, and course registration concluded without disruption. The university reported blocking 7.3 million phishing emails and 385,000 intrusion attempts in January 2023 alone, underscoring persistent threats despite robust defenses including advanced malware detection and network monitoring.