Cyber Incident Victim: Universität Zürich
Date:
Feb 2023
Location:
Switzerland
Summary
The Universität Zürich experienced a severe cyberattack by professional threat actors employing compromised accounts, distributed-denial-of-service (DDoS) attempts, and other intrusion methods, consistent with a broader pattern of assaults on educational and health institutions in German-speaking regions. The university isolated breached accounts, enhanced access controls, engaged external cybersecurity support, and notified relevant authorities including data protection experts and law enforcement. While attackers temporarily accessed some accounts, no data encryption, exfiltration, or system penetration was confirmed. IT services remained operational with heightened monitoring, though ongoing attacks necessitated password resets and VPN reconfigurations for all users, alongside warnings of potential future service disruptions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early February 2023, the Universität Zürich (UZH) experienced a sustained and sophisticated cyber attack attributed to professional threat actors targeting educational and health institutions across German-speaking regions. The attack formed part of a broader pattern, with several universities in the area having recently suffered compromises forcing prolonged IT service suspensions. UZH detected unauthorized attempts to infiltrate its systems through the compromise of multiple individual user accounts and network entry points. The university's IT security teams immediately escalated defensive measures, isolating affected accounts and systems while restricting general access privileges to limit lateral movement. External cybersecurity experts were engaged to assist internal resources in containing the breach. Relevant authorities—including data protection regulators, cantonal police, and partner academic institutions—were notified and collaborated on the response. Preliminary analysis indicated no evidence of threat actors penetrating protected network zones or core systems, with no confirmed data exfiltration or encryption observed at this stage. Despite these containment efforts, UZH maintained operational IT services for students and staff while warning of potential future disruptions given the persistent threat landscape.
The attackers employed multiple intrusion techniques, including distributed denial-of-service (DDoS) attacks aimed at overwhelming infrastructure and credential-based compromises targeting individual accounts. While some unauthorized account accesses occurred, UZH's monitoring systems detected and neutralized these breaches before they could escalate. Kurt Bodenmüller, UZH's media spokesperson, characterized the situation as severe but confirmed all systems remained operational as of February 9, contrasting with other affected universities that had temporarily shut down services. The institution mandated immediate password resets for all users and reconfigured VPN access protocols to eliminate newly identified vulnerabilities. Ongoing attacks intensified over several days, with threat actors continuously probing network defenses through evolving methods. Although ransomware motives were considered plausible given sector trends, no ransom demands or communication from attackers had materialized by the reporting period. UZH prioritized safeguarding sensitive research data and personally identifiable information, maintaining heightened security protocols while acknowledging the likelihood of prolonged attack attempts requiring sustained defensive operations. Service restrictions remained possible as the university's security teams conducted continuous threat assessments to balance functionality against risk mitigation.