Cyber Incident Victim: Hogeschool VIVES
Date:
Mar 2022
Location:
Belgium
Summary
Hogeschool VIVES experienced a cyberattack where hackers attempted to infiltrate its systems using a student's password, escalating to an attempt to install software capable of compromising password management systems. The institution preemptively shut down affected systems—including email and Sharepoint—to prevent data theft, successfully safeguarding student and faculty information. While core academic platforms like Toledo remained operational, disruptions prompted collaboration with KU Leuven and external experts to investigate and mandate password resets via the It's Me authentication system. The attack, attributed to professional hackers likely seeking extortion, caused temporary service outages but no confirmed data compromise.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Hogeschool VIVES cyber incident began on March 17, 2022, when attackers first attempted to infiltrate the institution's systems using a compromised student password. IT personnel detected these unauthorized access attempts but initially prevented successful breaches. The situation escalated dramatically on April 8 at approximately 1:00 AM, when the threat actors attempted to deploy specialized software designed to compromise the password management system controlling institutional data. General Director Joris Hindryckx authorized immediate system-wide lockdown measures within minutes of this detection, preventing data exfiltration. Forensic analysis revealed the attackers had penetrated the "control tower" of VIVES' data systems, indicating significant network access prior to containment. The hackers exhibited sophisticated tradecraft consistent with professional cybercriminal operations rather than amateur activity.
System disruptions commenced immediately following the April 8 containment actions, with email services and SharePoint platforms becoming inaccessible. These outages affected faculty access to teaching materials stored on SharePoint, though the Toledo learning management system (shared with KU Leuven) remained operational for student course materials. The timing during academic vacation minimized educational disruption, though students lost access to institutional email accounts. Response teams from VIVES IT, external cybersecurity specialists, and KU Leuven collaborators initiated password resets for all users, contacting students through personal email addresses on file. The institution mandated use of Belgium's "Its Me" identity verification system during credential resets as an additional security measure. While no data compromise occurred, systems remained offline pending comprehensive security validation due to concerns about persistent attacker attempts. Institutional leadership publicly characterized the incident as likely ransomware-related, though no explicit ransom demands were disclosed in available reporting.