Cyber Incident Victim: Universidad de Zaragoza

On May 10, 2023, the Universidad de Zaragoza suffered a cyberattack. The incident was initiated when the Spanish Ministry of the Interior alerted the university on that Wednesday about a detected attempt to access the institution's servers. The attack vector involved the compromise of at least two user accounts with access to the university's VPN system, which is its remote access portal. The Interior Ministry further warned the university that the perpetrators were likely cybercriminals whose intent was to obtain valuable and potentially compromising data. The objective was assessed to be a subsequent demand for a ransom in exchange for not publicly releasing the information, characterizing the incident as an attempted LockBit ransomware attack, a common type of extortion-based cybercrime.

Upon receiving the alert, the Universidad de Zaragoza immediately began taking measures to analyze and contain the threat. The university's first action was to analyze the network traffic that had occurred to trace the origin of the unauthorized accesses and determine their intended destination within the network. This forensic step was crucial for understanding the scope of the intrusion. Following this analysis, the access for the compromised user accounts was immediately revoked, effectively cutting off the attackers' initial point of entry. Furthermore, the specific machine involved in the incident was suspended from the network to allow for a thorough and isolated analysis of its content, preventing any potential lateral movement or further damage.

In parallel with these initial containment steps, the university formally activated its logical incident response procedure. This procedure had been previously elaborated by the university's own IT and communications service, providing a predefined framework for handling such security events. As part of this standardized response protocol, the incident was officially notified to the Centro Criptológico Nacional (CCN), Spain's National Cryptologic Center, which serves as a key authority for cybersecurity incidents. Along with this mandatory notification, the university also requested technical support from the national agency to assist in its response efforts.

Throughout the initial response period, the university's investigation did not detect any considerable impact on any of its prominent services. Despite the serious nature of the attack, critical strategic services including the main website, the virtual teaching platform, email, and electronic administration systems remained operational and unaffected. The university attributed this resilience to the fact that these key services are supported by Linux servers. However, as a precautionary measure to minimize any potential risks while the investigation continued, the university advised staff to leave their work personal computers powered off and completely disconnected from the network throughout the upcoming weekend.

Following recommendations provided by the Centro Criptológico Nacional, the Universidad de Zaragoza implemented additional medium-term security measures. A significant decision was made to completely close the remote access VPN system to all users. This action was announced publicly by the university via its Twitter account on May 12, 2023. Moving forward, any individual requiring remote access would have to undergo a revised and more stringent review process before being granted connectivity privileges. This measure was designed to prevent the misuse of remote access accounts, which had been the initial attack vector. Concurrently, the university reviewed and subsequently reinforced its entire system of data backups. This action was a critical step to ensure data recovery capabilities were robust and secure, thereby mitigating the potential impact of any future ransomware encryption or data destruction attempts. The incident response continued with these enhanced security postures in place while monitoring and analysis activities persisted.