Munster Technological University is being blackmailed and held to ransom by a group of hackers believed to be based either in Russia or part of the former Soviet Union, the High Court has heard.

The cyberattack on MTU’s IT system, which was detected in recent days, is believed to have been carried out by individuals in a ransomware group known as ALPHV aka Blackcat or NOBERUS, the court heard.

MTU, which was formed in 2021 by the merger of CIT and IT Tralee, claims that those suspected of carrying out the attack is understood to be made up of former members of the ‘REvil’ ransomware group, that in 2022 attacked a supplier of Apple, which was proven to be based in Russia.

Mr Justice Garrett Simons heard that the college received a ransom note demanding a significant amount of money or else confidential information about the university’s staff and students will be published, which the attackers claim to have obtained from MTU’s IT systems.

MTU will not be paying any ransom, the court heard.

While the college does not know at this stage the full extent to which the group may have obtained its data it is very concerned about the attackers’ threat to publish any material that may have been taken from the college’s computer system.

If the money is not paid, the attackers have threatened to sell and or publish confidential information and data about the college’s staff and students allegedly obtained from MTU’s IT system.

The exact figure demanded by the attackers was not disclosed in open court.

As a result, MTU represented by Imogen McGrath SC, with Stephen Walsh Bl instructed by Arthur Cox solicitors, obtained an emergency temporary injunction preventing the currently unknown persons behind the attack, and anyone else who has knowledge of the order, from publishing, making available to the public, or sharing any of the universities confidential material.

The order also requires the defendants or any other person in possession of the confidential data to hand over any such material they may have to MTU.

Seeking the orders Ms McGrath said that the college’s operations and services to its 18,000 students have been significantly disrupted as a result of the attack.

The injunction has been sought in order to protect MTU students and staff’s personal data and prevent Blackcat and anyone else from taking advantage of the breach of its IT system, and from breaching any property and privacy rights of those whose data may be affected.

Investigations by experts into suspicious activities that were first detected in MTU’s IT system on Sunday February 5 last are continuing, counsel said.

However, MTU is concerned that data, including personal data, financial information, confidential and commercial sensitive data of its students, employees and third parties may have been accessed and extracted by those behind the attack.

Counsel said that an encrypted ransom note was uncovered by MUT’s IT team. The note contained a link which was followed by the National Cyber Security Centre.

Counsel said that a page on the ‘Darkweb’ – a collection of websites that can only be accessed by a specific browser – was located where the ransom demands were outlined.

The demand was placed by Blackcat, and it sought payment of a specific sum by 11.45pm on Friday . If the money was not paid Blackcat threatened to publish the date it claims to have obtained from MTU.

It was clear that the intention of those behind the attack was to “blackmail and extort MTU,” counsel said.

The attacker’s actions to date have caused substantial reputational and financial loss to the college, counsel said.

While nothing has been published to date, MTU was concerned that unless it obtained the order from the High Court there was a serious risk that the material will be published online.

Granting the orders Mr Justice Simons said that he was satisfied this was a case where an injunction should be granted on an ex-parte basis, where only one side was present in court.

The judge added that he was further satisfied to make orders allowing MTU’s lawyers serve notice of the court’s order on the parties believed to be behind the cyberattack via the Darknet page where the ransom note was posted.

The matter will return before the court later this month.

Get ahead of the day with the morning headlines at 7.30am and Fionnán Sheahan’s exclusive take on the day’s news every afternoon, with our free daily newsletter.

Leave a Reply

Your email address will not be published. Required fields are marked *