Cyber Incident Victim: Instituto Politécnico de Leiria

On or around May 2, 2023, the Instituto Politécnico de Leiria (IPL) was victimized by a cyberattack. The attack was identified as a ransomware incident involving the Akira variant. This malicious program functions by blocking access to a computer's files and subsequently demanding a ransom payment to restore access. The attack itself was investigated by the Centro Nacional de Cibersegurança (CNCS) and the Polícia Judiciária (PJ). The CNCS officially confirmed that the IPL was a victim of a ransomware attack from the Akira variant and noted that recovery work was underway, which was expected to be completed soon. An investigation was being conducted in coordination with the PJ.

A group associated with the Akira ransomware strain claimed responsibility for the attack on a page within the dark web. This group identified the Instituto Politécnico de Leiria as one of its victims. Their claim was initially shared by Falcon Feeds, a platform that monitors content on the dark web. The group's dark web post alleged that they had obtained sensitive data from the educational institution following the attack. In their update regarding the IPL data, the criminals noted they would share the data once they were certain "that the organization no longer cares about it." The publication from the Falcon Feeds team on Twitter about the IPL data appearing on Akira's dark web page caused concern among the institution's students, who complained about a lack of communication and feared their personal data had been compromised.

The Instituto Politécnico de Leiria issued a statement to its students and the media. In this communication, the institution stated that no evidence had yet been detected indicating that any sensitive information had been stolen, either relating to the student community or concerning the functioning of the institution's services. The IPL also stated that, as of the time of the statement, no formal ransom request had been made to them. The Akira ransomware is a recent addition to the ransomware landscape and has been involved in indiscriminate attacks targeting consulting firms, financial institutions, schools, and daycare centers, with most victims located in the United States and Canada. The group behind this variant describes its actions on its dark web page as "unannounced audits" that alert companies to vulnerabilities in their services, stating, "There is a fair price for everything to disappear."

The technical functionality of this recent Akira variant involves obtaining Windows domain administrator credentials from its targets. These credentials are often acquired through phishing strategies, a social engineering tactic where attackers use fake emails to convince individuals to provide personal data. Once these administrative credentials are obtained, the data on the systems is encrypted, and the criminals then demand a ransom for its decryption. Cybersecurity experts from Technisanct, the company behind the Falcon Feeds platform, noted that the strategy of the group claiming the attacks is to publicly divulge the identity of victims to create public pressure for them to pay the ransoms. Regarding the authenticity of such claims, it was explained that criminals often bluff, and a significant percentage of their public assertions are not supported by the subsequent publication of sample data or proof. As of the time of the reporting, no data from the cyberattack on the IPL was circulating on the supposed attackers' page. The expectation was that it would take several days to see if any samples would be published. The impact of the incident led to recovery operations being undertaken by the institution, with investigative support from national cybersecurity and law enforcement authorities.