Cyber Incident Victim: Technische Universität Berlin
Date:
Apr 2021
Location:
Germany
Summary
Technische Universität Berlin experienced a disruptive cyberattack targeting its Windows environment, resulting in system-wide outages and encrypted files indicative of ransomware. Critical services including email, tubCloud, and SAP applications were intentionally shut down to contain the incident, remaining unavailable for an extended period while response efforts focused on damage mitigation, source identification, and protective measures. Users faced widespread service disruptions, though no additional actions were required from them. The institution had previously repelled multiple attacks exploiting Remote Desktop Protocol vulnerabilities, contrasting with this successful compromise that significantly impacted operations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 30, 2021, Technische Universität Berlin (TU Berlin) experienced a significant cyberattack targeting its Windows environment, leading to widespread system disruptions. The attack, characterized by the presence of encrypted files, prompted the university to proactively shut down multiple critical IT systems to contain further damage. Affected services included the Exchange email server, tubCloud (a cloud storage platform), and SAP applications, rendering them inaccessible to users. While the full scope of the attack remained unclear at the initial stage, TU Berlin confirmed the incident was under active investigation to determine its origin and impact. The university’s IT teams worked intensively to isolate compromised systems, analyze the attack vector, and implement additional protective measures. Users across TU Berlin’s campuses in Berlin, Egypt, and other international offices experienced restricted access to numerous services, with the institution advising the community to expect prolonged outages through the weekend. Regular updates were promised via the university’s communication channels, though no immediate remedial actions were required from students or staff. By May 1, 2021, systems remained offline as recovery efforts continued.
This incident followed a series of prior cyberattacks against TU Berlin in 2020, which the university had successfully repelled. Those earlier attacks exploited vulnerabilities in Microsoft’s Remote Desktop Protocol (RDP), a service enabling external access to computers, though VPN connections were noted as unaffected by the same security flaw. Concurrently, the broader Berlin-Brandenburg educational infrastructure faced unrelated disruptions, including repeated attacks on the Brandenburg school cloud that overwhelmed servers with excessive traffic. While the April 2021 attack on TU Berlin shared similarities with ransomware due to file encryption, the university did not explicitly confirm ransomware as the cause or disclose whether data exfiltration occurred. The disruption hindered administrative and academic operations reliant on email, cloud storage, and SAP systems, underscoring the persistent targeting of educational institutions in the region. TU Berlin’s response prioritized containment, forensic analysis, and gradual restoration of services while maintaining transparency through periodic status reports.