Cyber Incident Victim: Hochschule Hannover
Date:
Oct 2023
Location:
Germany
Summary
A ransomware attack disrupted Hochschule Hannover's IT infrastructure, prompting precautionary shutdowns of central systems to limit damage. Email services and phone access were severely limited, while centrally stored files and Single Sign-On-dependent platforms like Moodle became inaccessible; Microsoft Teams and Zoom accounts remained functional. Student enrollment and examination data remained unaffected but temporarily unreachable. External cybersecurity experts are investigating whether data exfiltration occurred alongside partial encryption. The institution established a crisis team, notified state criminal and data protection authorities, and prioritized restoring core user access. An interim email system is being prepared, with critical updates and FAQs published on the website for students, staff, and applicants during recovery.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 30, 2023, the central IT department of Hochschule Hannover (HsH) detected unusual activity within its IT systems, prompting an immediate investigation. Signs of a ransomware attack (identified as a "Verschlüsselungstrojaner") were confirmed, leading to the precautionary shutdown of large portions of the university's IT infrastructure to contain further damage. This action resulted in a total loss of email functionality and severely restricted telephone availability across the institution. Centralized file storage systems became inaccessible, preventing staff and students from retrieving stored data. While Microsoft Teams and Zoom user accounts remained operational, all systems relying on the HsH’s Single Sign-On (SSO) portal—including critical platforms like Moodle (the learning management system) and the Academic Cloud—were rendered unavailable. Student enrollment and examination records, stored separately, were confirmed to be unaffected by the encryption attack, though access to these records remained temporarily blocked due to the broader system outages.
The university initiated a coordinated response, establishing a crisis management team under the direction of its executive board (Präsidium). External cybersecurity experts were engaged to analyze the attack’s origin, scope, and methodology, though investigators could not immediately determine whether data exfiltration had occurred alongside the ransomware’s file-encryption activities. Authorities including the Lower Saxony State Criminal Police Office (Landeskriminalamt Niedersachsen) and the State Commissioner for Data Protection were formally notified of the breach. HsH directed all students, faculty, and staff to monitor its primary website for real-time updates, as traditional communication channels like email remained offline. The institution prioritized restoring central user account access, promising imminent instructions for credential recovery, and committed to deploying an alternative email system as an interim solution. Frequent updates and FAQs addressing operational disruptions for students, employees, and applicants were published directly to the HsH website to mitigate confusion during the recovery phase.