Cyber Incident Victim: Munster Technological University
Date:
Feb 2023
Location:
Ireland
Summary
The ALPHV/BlackCat ransomware group compromised Munster Technological University, exfiltrating over 6GB of sensitive employee and payroll data, leading to temporary closures of its Cork campuses and cancellation of classes. The attack disrupted IT services and telephone systems, though core functions like email and finance remained operational through contingency plans. A ransom demand was encoded in the breach, which the university declined to engage with, opting instead to restore systems using backups while collaborating with national cybersecurity authorities and law enforcement. The incident caused significant operational delays, requiring phased recovery efforts, and prompted alerts for affected individuals to monitor for fraudulent activity.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The ALPHV (BlackCat) ransomware gang claimed responsibility for a cyberattack on Munster Technological University (MTU) in Ireland, first detected over the weekend of February 4-5, 2023. MTU announced campus closures on February 6, shuttering its four Cork campuses (Bishopstown, NMCI, Crawford College of Art & Design, Cork School of Music) on February 7-8 to assess the breach. The attack caused significant IT disruptions and telephone outages, with students reporting inaccessibility of learning platforms like Canvas. ALPHV later posted approximately 6GB of stolen data on its dark web site, including highly sensitive employee records and payroll details that posed fraud risks. MTU's IT security systems detected the breach early, though the ransomware had potentially been active within systems for weeks prior. The university confirmed discovering a ransom demand encoded in one server but stated it did not engage with the attackers, relying instead on backups to restore systems. Core administrative functions—including email, HR, finance, and payroll—remained operational throughout the incident due to contingency plans.
MTU collaborated with An Garda Síochána, Ireland’s National Cyber Security Centre (NCSC), the Higher Education Authority, and the Department of Further and Higher Education during its response. A phased reopening of Cork campuses began on February 9, with outdoor facilities initially resuming low-risk activities like sports training. The university warned affected individuals to monitor for suspicious communications and banking activity, directing them to NCSC fraud prevention guidance. Student counseling services were expanded to support welfare concerns. While MTU emphasized its ability to restore systems without paying ransom, recovery efforts prioritized caution to avoid exacerbating damage; officials noted rushing reactivation of thousands of onsite computers could worsen the situation. The incident mirrored broader ransomware trends targeting educational institutions, with cybersecurity experts linking the attack methodology to Russian-affiliated groups. No financial details of the ransom demand were disclosed, and MTU’s investigation into the data leak continued post-recovery.