Cyber Incident Victim: Thomas More Hogeschool
Date:
Sep 2023
Location:
Belgium
Summary
Thomas More Hogeschool was the victim of a DDoS cyber attack that overloaded its computer systems. The attack did not result in any data being stolen and caused minimal disruption to students. The school's security systems functioned correctly, preventing any hacking and allowing for a swift return to normal operations. Thomas More Hogeschool is filing a complaint with the police to investigate the perpetrators.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around September 1, 2023, Thomas More Hogeschool, an educational institution with campuses in Antwerp, Mechelen, and the Kempen region, fell victim to a significant cyber incident. The attack was identified as a Distributed Denial-of-Service (DDoS) attack, a specific type of cyber assault designed to overwhelm and disrupt the normal functioning of an organization's digital infrastructure. According to Frederik Van den Bril, a spokesperson for the school, the incident did not involve traditional hacking or a ransomware demand, which distinguishes it from other types of cyberattacks that focus on data theft or extortion. The primary mechanism of this attack was the deliberate overloading of the school's computer systems with an immense and unsustainable volume of traffic. Van den Bril provided an illustrative analogy, comparing the school's network to a highway with two lanes suddenly being forced to accommodate the traffic flow of twenty lanes simultaneously. This massive influx of data was intended to create a bottleneck, rendering the systems incapable of processing legitimate requests and causing them to become unresponsive.
The immediate effect of this orchestrated overloading was that the Thomas More Hogeschool's computer systems were forced offline for a period of time. The core objective behind such a DDoS attack is typically to weaken the existing security measures of the targeted system. By consuming all available bandwidth and server resources, the attackers aim to create a vulnerability or an opening that could potentially be exploited for a secondary intrusion. In this case, the goal was to compromise the integrity of the network's defenses to gain unauthorized access to internal systems and data. However, the school's IT department reported that their security systems performed effectively under this duress. The defensive measures in place were successful in preventing the attackers from achieving their ultimate goal of breaching the system's security perimeter. No data was exfiltrated, stolen, or compromised during the incident, and no unauthorized access to sensitive information was obtained.
Despite the systems being temporarily incapacitated, the impact on the academic operations of Thomas More Hogeschool was remarkably minimal. The spokesperson emphasized that the students experienced very little disruption as a direct result of the cyberattack. Crucially, all scheduled classes were able to proceed as planned without significant interruption or cancellation. This suggests that the IT infrastructure supporting core educational functions, such as in-person teaching and learning activities, was either resilient to the attack or restored to operational status quickly enough to avoid a major impact on the school day. The rapid recovery and lack of operational hindrance indicate a level of preparedness and effective incident response on the part of the institution's IT service team. Their efforts ensured that the educational process was largely insulated from the technical disruption occurring within the network.
In the aftermath of the incident, the leadership of Thomas More Hogeschool made the decision to pursue legal action. The school formally filed a complaint with the police authorities. This step was taken to initiate an official investigation into the origins of the attack with the purpose of identifying the perpetrators responsible for orchestrating the DDoS campaign. Filing a police report is a standard procedure following a cybercrime, as it allows law enforcement to document the event, collect evidence, and potentially attribute the attack to specific individuals or groups. The school's decision to involve the police underscores the seriousness with which they treated the incident, despite the limited success of the attack and the absence of data loss. It reflects a commitment to holding malicious actors accountable and contributing to broader efforts to combat cybercrime.
The incident at Thomas More Hogeschool serves as a clear example of a DDoS attack, a prevalent form of cyber threat faced by organizations worldwide. This type of attack focuses on disruption and availability rather than on the confidentiality or integrity of data. The fact that the school's security systems thwarted a deeper intrusion highlights the importance of robust and multi-layered cybersecurity defenses that can withstand initial assault vectors. The minimal disruption to students suggests that the institution's business continuity or disaster recovery plans were effective, allowing normal operations to continue with little to no downtime. The event concluded without any financial ransom being paid and without the theft of personal or institutional data, marking it as an unsuccessful attack from the perspective of the threat actors but a valuable incident for the school's cybersecurity posture and response protocols.