Tackling the aftermath of the cyberattack for researchers
Shutting down all server connections to and from our university was a necessary step to prevent further damage during the cyber attack. This decision also had a significant impact on our researchers. Sandor Schmikli of LIS, together with Edwin van den Heuvel, Dean of Mathematics and Computer Science, was responsible for identifying and resolving all issues caused by the attack. Around fifty 'special' cases landed on their plate.
“Everyone experienced the cyber attack differently and faced their own challenges,” says Sandor Schmikli, who is responsible for research at LIS. His role encompasses Research IT Consultancy, the data stewards, the Supercomputing Center, and the Research Data Infrastructure Lab. “At first, no researcher could access their files or data stored on servers through the internal network, and there was no way to connect remotely to laboratory equipment, for example.”
“It soon became clear that some researchers were under immense time pressure. They had deadlines for funding applications with NWO or the EU in Brussels, or needed to submit a publication. If you can’t access your work in such moments, it's extremely stressful.”
Supercomputers sitting idle
Another problem that needed solving was the inability to perform heavy computations on supercomputers outside the university, such as those at SURF or in a research cloud. This remained impossible for several weeks. “To run those calculations using external software, you need a license. But that license server is located here at ąű¶ł´«Ă˝â€”and it was unreachable from outside the network.”
Black box
That was the context in which Dean Edwin van den Heuvel of Mathematics and Computer Science, along with Schmikli, had to operate in the aftermath of the cyberattack. “Fortunately, about 95 percent of the researchers were able to resume their work fairly quickly once we reconnected to the servers,” Van den Heuvel says.
“When we came back online, it was a real black box for us—we had no idea where the questions would come from,” says Schmikli. “Over the years, departments have purchased and installed systems that LIS wasn’t fully aware of. That means we couldn’t warn people that their work might be disrupted on those systems. And we also had no way of knowing whether they needed help to resolve the issue.”
“This attack has once again highlighted how important it is to know what equipment is actually on campus. "That's why we’re conducting a thorough inventory of what is located where and what its function is — so that we can better assess the impact of a potential new attack."
Tighter rules
As servers and systems came back online, the university’s IT policy was tightened. One concrete example was the accelerated rollout of a new VPN connection with two-factor authentication.
“There’s still an incredible amount of old equipment in the labs,” Schmikli explains. “Take microscopes from 2005. They still work just fine, but they only communicate with a Windows XP machine using outdated protocols—and that’s not secure. That’s why our security department has decided we will no longer support those protocols on our network, and they are being disconnected.”
“And suddenly you’re dealing with a huge amount of valuable equipment that won't work anymore,” says Schmikli. “It was a major task to find solutions for that. We brought together people from LIS and the departments who could contribute solutions to this problem, and within the first few weeks, most of the issues were resolved.”
'Special cases'
Around fifty 'special cases' surfaced, systems that could no longer meet the tightened rules and requirements. These became the focus for Schmikli and Van den Heuvel. “They needed extra attention and support.”
Key players in identifying the issues and helping to resolve them were the research IT consultants from LIS who work within the departments. “They know exactly what’s going on within the research groups. They mapped out the difficult cases and had conversations with researchers. They were our most important link to the research community.”
the research IT-consultants at the departments were our most important link to the research community.
Sandor Schmikli, Area Lead Research bij LIS
Since mid-March, almost all issues have been resolved, and any new problems that arise are now being addressed through the regular processes at LIS. After bringing the servers back online, LIS worked tirelessly for about four weeks to resolve most problems.
Quick response
“An attack like this reveals your internal vulnerabilities. It demands a lot from our organization—our people worked day and night in shifts to resolve everything. We need to think critically about how to make our organization more robust and flexible in the face of future attacks.”
Looking back, Schmikli believes we narrowly escaped disaster during the cyberattack. “We were fortunate that people stayed alert and acted quickly; otherwise, things could have been much worse.”