Cyber Incident Victim: Auckland University of Technology

On or around August 31, 2023, the Auckland University of Technology (AUT), New Zealand's third-largest university serving over 29,000 students, experienced a significant cybersecurity incident involving unauthorized access to its IT environment by an unknown third party. The university confirmed the incident publicly on the afternoon of September 1, stating that immediate action was taken to contain and isolate potentially affected servers. Additional security measures were implemented in the hours following the initial detection of the breach. Despite the attack, normal university operations and teaching continued both on campus and online, with the institution reporting that disruption to its services had been minimal. Leading external cybersecurity and forensic IT experts were engaged to assist with incident management and to conduct a thorough investigation, which the university acknowledged might take some time to complete.

The ransomware gang known as Monti claimed responsibility for the attack. The group publicly stated it had successfully stolen 60 gigabytes of data from the university's systems. Monti threatened to dump this stolen data online, setting a deadline of October 9 for the university to pay an undisclosed ransom. The emergence of this threat actor added a layer of urgency to the incident, placing potential data exposure over the heads of students, staff, and other individuals associated with the university. In accordance with standard breach response protocols, AUT formally notified the Office of the Privacy Commissioner of the incident on August 31, the day before its public confirmation. A spokesperson for the Privacy Commissioner noted that the office's initial focus was to provide advice on how to minimize the harm caused by such a breach, while also stating that a full investigation would be needed to ascertain the complete size and scope of the incident.

The Monti ransomware gang is a group that first emerged in June 2022, approximately one year prior to the attack on AUT. Security researchers, including Emsisoft threat analyst Brett Callow and Recorded Future ransomware expert Allan Liska, have noted that the group's name appears to be a nod to the notorious Conti ransomware gang, which is associated with Russian criminals and was known for its damaging attacks. Furthermore, technical analysis revealed that Monti's ransomware code was initially very similar to, and based upon, the leaked source code from the Conti group. This connection is significant because the Conti group's source code became publicly available after the group disbanded, which occurred following its public expression of support for Russia's invasion of Ukraine. This availability of code has allowed other threat actors to create what researchers term "Franken-ransomware," built from stolen components of other malware.

Following its initial activities, the Monti gang underwent a period of development and refinement. After a two-month hiatus, the group restarted its operations and had added at least 13 apparent victims from the legal, financial services, and healthcare sectors to its data leak site prior to the attack on AUT. The group had also rewritten its ransomware code and developed a Linux variant, indicating a evolution in its capabilities beyond simply using the leaked Conti code. Despite these advancements, ransomware experts categorized Monti as a "3rd or 4th tier" group within the cybercriminal ecosystem. However, as noted by experts, even groups of this lower tier can inflict serious damage on targeted organizations, as evidenced by the breach at the university.

The historical context of the threat group responsible for this attack is particularly relevant to New Zealand. The Conti ransomware gang, which Monti imitates, was responsible for a devastating attack on the Waikato District Health Board IT systems in 2021. That attack crippled the computer and phone systems at hospitals in Waikato, Thames, Tokoroa, Te Kuiti, and Taumaranui, and was described by the hospital’s chief executive at the time as “probably the biggest cyberattack in New Zealand's history.” This precedent underscores the potential severity of ransomware attacks launched by groups operating with Conti's tactics and code, even if they are considered less sophisticated successors or imitators.

The incident at AUT was not an isolated event in the New Zealand cybersecurity landscape. In December of the previous year, a separate ransomware attack targeted Mercury IT, a widely used managed service provider (MSP) in the country. That attack caused widespread disruption, affecting dozens of organizations across New Zealand, including several government departments and public authorities. The attack on a major educational institution like AUT further highlights the persistent targeting of critical sectors within New Zealand, including healthcare, government, and now education, by cybercriminal entities.

The university's response followed established best practices for such incidents. By immediately working to contain the breach and isolate affected systems, AUT aimed to prevent the lateral movement of the threat actors within its network and limit the overall impact of the intrusion. The engagement of external cybersecurity and forensic experts is a standard procedure to ensure an independent and technically proficient investigation can determine the root cause, the extent of the data exfiltration, and the specific vulnerabilities exploited. Furthermore, reporting the incident to New Zealand’s National Cyber Security Centre demonstrates coordination with national authorities responsible for defending critical infrastructure and responding to significant cyber events.

The core of the incident revolves around the data theft claim made by the Monti gang. The threatened release of 60 gigabytes of data poses a significant risk of privacy harm to the individuals whose information was contained within the stolen files. The university, in partnership with forensic investigators and the Office of the Privacy Commissioner, would be tasked with the complex process of identifying precisely what data was taken and which individuals were affected. This process is often lengthy and meticulous, as it requires forensic analysis of system logs, file access timestamps, and the contents of the data itself to build a complete picture of the compromise.

As the investigation remained ongoing at the time of the reporting, the full impact of the data breach had not yet been publicly quantified. The university's statements emphasized the continuity of operations and minimal service disruption, suggesting that the primary immediate impact was related to data confidentiality rather than system availability. This stands in contrast to a more destructive ransomware attack where systems are encrypted and rendered unusable, crippling organizational functions. The Monti group's approach in this instance appeared to focus on data theft and extortion, leveraging the threat of public data release to pressure the institution into paying a ransom. The deadline of October 9 provided a timeline for the potential escalation of the incident, depending on the outcome of the university's investigation and its subsequent decisions regarding the ransom demand.