Cyber Incident Victim: Heinrich-Heine-Universität Düsseldorf
Date:
May 2023
Location:
Germany
Summary
The Universität Düsseldorf (HHU) suffered a cyber incident where attackers compromised specific email accounts and exfiltrated their entire contents. The stolen email data, which included personal information, was subsequently used in widespread phishing campaigns targeting the accounts' internal and external contacts. The university's other IT systems remained operational throughout the event. The security gap was closed upon discovery, and the incident was reported to law enforcement and data protection authorities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around April 25, 2023, the Heinrich Heine University Düsseldorf (HHU) suffered a security incident. The attack targeted specific email accounts within the university's system. The compromised accounts were the official mailboxes for the email addresses , , , and , including their aliases , , , and . The attackers successfully infiltrated these accounts and exfiltrated their contents. A subsequent forensic investigation of the email system determined that the threat actors had likely downloaded the entirety of the emails contained within these specific mailboxes. This data theft encompassed every single email that had been sent to or from these addresses on or before May 25, 2023.
The full scope of the incident became clearer in the following weeks. The primary impact was the theft of sensitive communications. The stolen emails contained a variety of information, including partially personally identifiable data from correspondence with individuals both inside and outside the university. The functional integrity of the broader HHU IT infrastructure was not compromised at any point during or after this attack; the university's core systems and services remained operational and unaffected. The breach was isolated to the specified email accounts, and there was no wider disruption to the university's academic or administrative functions.
The university's response began immediately upon discovery of the breach. The security vulnerability that had been exploited by the attackers to gain access to the email accounts was identified and closed without delay following the incident's discovery. This action secured the systems against further unauthorized access via the same method. However, this containment measure did not change the fact that the data had already been successfully exfiltrated and was in the possession of the attackers. Following internal protocols, the HHU filed an official criminal complaint with law enforcement authorities to report the cybercrime. In addition to the criminal complaint, the university also complied with data protection regulations by reporting the entire incident to the relevant supervisory authority for data protection.
The stolen data began to be actively weaponized by the threat actors starting in late June 2023. The exfiltrated email contents were utilized in widespread phishing campaigns targeting the contacts of the compromised mailboxes. These phishing attempts were directed at individuals both within the HHU community and external partners who had previously corresponded with the affected email addresses. The phishing emails leveraged the authentic content from the stolen communications to appear more credible and deceptive, increasing the likelihood of successful social engineering attacks.
The university publicly disclosed the incident on its website on May 1, 2023, to inform potential victims and mitigate the risk posed by the subsequent phishing campaigns. The announcement served as a direct warning to all individuals and organizations that had engaged in email correspondence with the compromised accounts on or before the cutoff date of May 25, 2023. The university's communication stated that it must be assumed all emails and data from communications with those postboxes were in the possession of unknown third parties. It also alerted the public to the increased circulation of phishing mails that were using content from the stolen emails.
The HHU was transparent about the limitations of its knowledge regarding the attack. The public statement confirmed that the university possessed no further information on the identity of the attackers responsible for the breach. All information available to the personnel tasked with IT security at HHU was contained within the initial disclosure. The university established a dedicated point of contact, directing individuals with questions to reach out to the HHU Information Security Officer via a specified email address. The commitment was made to publish updated notifications through the official HHU website, the intranet, and official bulletins should any new findings emerge from the ongoing investigation. The incident highlighted the ongoing cybersecurity challenges faced by academic institutions and the specific threat posed by targeted attacks on communication systems to harvest data for secondary offensive operations.