Last October, a cyberattack hit the Berlin Natural History Museum and brought research to a standstill. Scientists were left without access to the data and programs required for their work, putting projects on hold and leaving students in limbo. Months later, systems have only just begun to crawl back online.
The museum is not alone. In the past year, cyberattacks have struck several research institutions in Germany and beyond. Most involve ransomware, in which data or systems are locked until a payment is made. The attacks are part of a growing trend at academic institutions worldwide, where they can have devastating effects — delaying research projects, disrupting student enrolment and affecting researchers’ mental health.
So … you’ve been hacked
“In the 13 years I’ve been here, this is by far the most painful thing I have experienced,” says Johannes Vogel, director-general of the Berlin Natural History Museum, which conducts research in a wide range of fields including palaeontology, geology and genetics. “The attack is an ongoing challenge.”
In the past few years, cyberattacks have hit institutions including the British Library in London, the University of Manchester, UK, Carnegie Mellon University in Pittsburgh, Pennsylvania, and Stanford University in California.
Cleaning up after such an attack can be arduous. To contain the damage from the ransomware attack, which, according to a criminal investigation by German authorities, came from a group of Russian hackers, the Berlin museum took its entire system offline. As a result, the museum’s roughly 450 employees lost access to e-mail and other digital services. For researchers, this meant being unable to access data and specialized programs required for their work. In addition, data — including some personal information from visitors — were stolen by the attackers. Although the museum was able to stay open by outsourcing parts of visitor services and administration, most of its research was put on hold. In the months since the attack, the museum has been working with cybersecurity experts to clean up and rebuild the digital infrastructure. Information-technology services might not be completely restored until the end of the year, says Vogel.
Severed connection
It was a February morning at the Berlin University of Applied Sciences and Technology, (BHT) when staff received red alerts informing them that digital services were shutting down. The university had been hit with a ransomware attack from Akira — a well-known hacker group that, as of this January, claimed roughly US$42 million from attacks on more than 250 organizations. In response, the university shut down all its servers and severed its connection to the Internet.
The shutdown meant that professors and students were completely locked out of digital services — and those who could continue their work remotely did so off-site, according to Peter Tröger, head of the computer and information-systems laboratory at BHT. The loss of e-mail was especially difficult, because making appointments, scheduling PhD defences and accessing journals all require a university e-mail address, Tröger says.
The attack also affected student enrolment. Because it occurred in between terms, an estimated 100 or so students couldn’t enroll, and ended up at other universities instead.
Internet connectivity is being re-established in steps, prioritizing services such as payroll and student enrolment. E-mail was restored after a few weeks, but many labs — mostly those heavily reliant on IT — remain partly offline as a team goes into each lab’s digital infrastructure to investigate how it was affected by the attack, and whether its security measures are up to date. “There’s a long waiting line,” Tröger says. Without digital services, “people need to find different ways to spend their time in a reasonable and useful manner”.
The Helmholtz Centre for Materials and Energy in Berlin, a materials-research institute, experienced a cyberattack last June. This delayed many projects by anything from weeks to months, says Ina Helms, the head of communication at the centre. “Inability to access research software was one of the factors that caused many projects to experience delays,” she says.
For students, losing the ability to work is especially disruptive. The cyberattack has affected projects at the Berlin Natural History Museum to varying degrees — some researchers were able to focus on literature reviews or work on external computers. Others were unable to work at all. Because master’s and doctoral students have a limited time frame in which to conduct work, the disruption meant that many needed to request for extensions from universities, funding bodies and collaborators, according to a group representing early-career researchers at the museum. “Many of the early career scientists were very stressed about the situation,” the representatives said in an e-mail. “It also affected their mental health.”
‘Easy targets’
For hackers, academic institutions are desirable targets for two reasons: some have deep pockets from which to pay a ransom, and they contain valuable data that can be sold such as employee records and intellectual property linked to cutting-edge research, says Harjinder Singh Lallie, a cybersecurity expert at the University of Warwick, UK. “This is why ransomware is such a good attack, because you’ve got two lines of potential monetization.”
Educational institutions are also more likely to have outdated security systems, says Lallie, and their digital infrastructure is more diverse than that of, say, financial institutions, which often use a single operating system and have highly secured computers. At universities, for instance, in addition to the computers in labs and offices, students and staff have personal devices — each of which hackers can use to infiltrate the institution. And the diversity of collaborators and suppliers from outside the university add layers of vulnerability. “The number of possibly entry points we have is quite remarkable,” Lallie says. “All an attacker needs is for one student to have a lousy phone.”
Lallie notes that there are several things institutions can do to protect themselves from an attack. This includes introducing multi-factor authentication for log-ins, securely backing up data and teaching its students and staff about cyberawareness.
For academic institutions, the question now might not be whether they will be attacked — but when. “You’ve got to assume now that your systems are going to be hit with a ransomware attack,” Lallie says. “If you make that assumption, you can prepare to a certain degree to ensure minimal disruption.”