This production was written by corporate storyteller Brigit Span.
How it started
Saturday evening, January 11, 10.15 p.m.René Wassink, responsible for infrastructure, platforms, and security at Library and Information Services (LIS), is watching a TV series about a cyberattack on the London Underground when he receives a WhatsApp message: ’Our monitoring system has detected unusual activity in our online systems - we’re looking into it now.’
This message marked the start of the actions taken in response to what would later evolve into a major cyberattack on our university. René Wassink and Bert van Iersel, deputy director of LIS, reflect on the intense first days when their swift actions prevented a cyber disaster at our university. And during which they, along with their colleagues from LIS, worked tirelessly in shifts to get our community digitally back on track as quickly as possible.
Saturday evening, January 11, 10.25 p.m.
"I quickly received a message from our infrastructure team that something serious was going on," says Wassink. He immediately contacted his LIS colleagues, director Frank Hendrickx, and Bert van Iersel, deputy director and Product Area Lead of Data & Insights, to inform them.
"I was about to go to bed when René messaged me, saying something might be wrong," recalls Bert van Iersel. "I told my wife not to wait up for me. I needed to see how things would unfold, so I sat down at the kitchen table and turned on my laptop."
Thousands of attack attempts per day
Attack attempts on our network are the order of the day for Wassink’s security team. "Our automated systems detect thousands of suspicious activities every day. The system can intervene by not letting people into our system or escalating to us. That happened that evening. Usually, this is a false alarm. I’ve been working at TU/e for two years, and this was the first time we had a major problem," says Wassink.Wassink: "Our security team was engaged in a battle with the intruders who were trying to break in for a while." Van Iersel adds, "In these hacks, attackers often use leaked login credentials to get in. From there, they attempt to bypass additional layers of security, slowly making their way deeper into the network."
Expanding the team
Later that evening, the team dealing with the cyberattack was expanded within LIS. Along with Wassink and Van Iersel, this included the chief information security officer, the head of the security team, and the person in charge of infrastructure. "Of course, the real work was being done by our security operations team, who were fighting hard to stop the intruders," Wassink adds.Saturday evening, January 11, 11.45 p.m.
All off
During a status call around 11:45 p.m., the team determined that only one option was left to stop the attack: all network connections had to be shut down to prevent intruders from infiltrating deeper into our online systems.Wassink and Van Iersel decided that Van Iersel would head to campus, as access to our systems would only be possible from the campus after the shutdown. All remote connections were then completely sealed off to block the hackers. "I live closest, so I was on campus around 12:30 a.m. Shortly after, we shut down all network connections," says Van Iersel.
About two hours after discovering the attack, the university completely isolated its network from the outside world. "Looking back, that first night was intense and even kind of fascinating, though that might sound strange," says Van Iersel.
Low stress
"We were relatively calm," Wassink recalls. "Our team knew exactly what to do because we’d practiced handling these crises. As a result, we also knew exactly who to connect with within TU/e to assemble the crisis teams."Convene the Central Crisis Team
Van Iersel informed the Executive Board that all network connections were shut down and that the Central Crisis Team (CCT) should meet on Sunday morning. "In the middle of the night, I asked Gijs Spiele (head of Safety and Security) to gather the phone numbers of the CCT members and notify them that we needed to meet at 9 a.m. the next day."(The story continues below the box.)
’Everyone rose to the occasion - it truly felt like one team, one TU/e’
Of course, the cause was anything but pleasant, but looking back on the cyber crisis, what remains most of all’is a sense of pride, says Patrick Groothuis, Vice President of the Executive Board. During the crisis, he led the Central Crisis Team.
Patrick Groothuis’s initial reaction upon hearing in the middle of the night that hackers had attacked our university is best left off the record. "There are more cyberattacks on TU/e; we monitor that continuously. But now, someone had successfully entered, and we were screwed. That was very frustrating," says Groothuis. "But I immediately understood that our cybersecurity people had made the right and brave decision to pull the plug quickly."
Groothuis knew: "This is more than an IT crisis; this affects our entire community: students, teachers, researchers, and support staff." The Central Crisis Team (CCT) was already put into position that Sunday morning. As chairman of the CCT, Groothuis’s task was to expand the crisis team with the right people in the right roles that were appropriate to the situation. And to bring calm to the entire organization.
"In that first CCT meeting, Sunday at 9 a.m., we tried to get a clear picture of what was happening. The input of our people from LIS was leading. In addition, we assessed who and what we needed to defuse this crisis."
Patrick Groothuis, Vice President TU/e and president of the Central Crisis Team
Gain insight
"The specialists on René’s (Wassink, ed.) security team kept me updated that night on how far the hacker had penetrated our systems," says Van Iersel.Wassink: "Our main goal was to determine if the intruders had left anything harmful behind. We conducted forensic investigations, and the police did the same. Our primary concern was assessing the potential damage to our systems and data while minimizing the risks to our organization. The police focused on identifying the perpetrators, but they have not been found yet."
Damage control
In the hours and days that followed, a team of about 25 IT experts from LIS worked tirelessly to minimize the damage. Van Iersel explains, "First, we needed to understand what had happened. We couldn’t immediately bring our system back online because we knew nothing about the attacker. There was a risk it could happen again.""As soon as we understood the situation, we could begin rebuilding and plan to restore our system safely." Van Iersel, as chair of the Crisis Management Team (CMT) at LIS, led discussions that were brief, focused, and structured. Wassink was also a member of the CMT and served as chair of the Crisis Response Team (CRT), the group working on IT solutions.
"In the background, Ivo Jongsma, spokesperson for the Executive Board, worked tirelessly to keep our community informed about the crisis. I worked with Frank Hendrickx to ensure the reports were technically accurate. It required a lot of coordination."
(The story continues below the box.)
’It was a bit of a moment having to shout that we had a problem’
During the cybercrisis, Ivo Jongsma was partly responsible for our university’s crisis communication. While the media called him incessantly for more information about the cyberattack, his focus in the first week was mainly on informing our community. Soon, he’ll be back at it, as the investigation reports on the cyberattack are expected to be ready by mid-May.On Sunday morning, January 12th, when Ivo Jongsma’s alarm went off, he saw a series of missed calls and messages on his phone. The university had come under digital attack that night. All networks had been shut down to prevent further damage. A crisis was unfolding, and Jongsma, spokesperson for the Executive Board, was expected at 9 a.m. that morning for the first meeting of the Central Crisis Team (CCT).
The CCT was responsible for managing the crisis and informing the university community about the cyberattack and its consequences. One of the key points to communicate was that classes would not be able to take place the following day.
This was a challenge when the usual communication tools were unavailable: no network, no email, no Teams, no Osiris, Canvas, or Studielink. "The only option was to do it through the media. It was nerve-wracking to loudly announce to the outside world that we had a problem. I remember when I was about to send out I thought: I’m going to the bathroom first because I probably won’t have time to do that again for the next hours."
Solidarity
"On the first day, we worked tirelessly alongside our LIS teams, and in the following days, we stayed late into the night on the 11th floor of Atlas. Breakfast, lunch, and dinner were thoughtfully provided by the Facility Services team, which we truly appreciated," says Van Iersel."During those informal moments around the table, we took the time to check in with one another, discussing both the progress we were making and how everyone was coping."
"There was a strong sense of solidarity," confirms Wassink. "We were all working together. My team felt valued knowing their advice was heard and considered in the decision-making process."
Van Iersel adds, "Our LIS helpdesk staff worked closely with ESA and the CEC to address student inquiries through the WhatsApp number that was quickly set up and put into action."
(The story continues below the box.)
Stories from ESA
The top priority after fending off the cyberattack was to get the education system back on track as quickly as possible. In the stories below, these four employees from Education and Student Affairs (ESA) share their experiences of the cyber crisis.
Cloud services
On Wednesday evening, the decision was made to restore access to the cloud services. Wassink explains, "The authentication for those cloud services runs through our data centers, and the connections to them had been disabled. By reactivating them, our community could regain access to online systems like Office 365, Teams, Osiris, and Canvas again. We were confident it would work, and it did.""You could feel the atmosphere lighten after that," Van Iersel recalls. "By Thursday morning, we had the cloud and SaaS systems (including Office 365, ed.) up and running, and we were all’having breakfast together. That’s when René’s team started joking around again. That was a real moment of relief for me."
Restart of education
Next, it was time to bring the local systems and connections back online, including Time Tell, Planon, Version, OnCourse, Oracle, and Lab Servant. To ensure that teaching could resume the following Monday, this had to be done over the weekend."We started preparing for it, but also made it clear that we couldn’t guarantee everything would be up and running by the weekend. It was reassuring that our advice was respected. We were given the space to safely reopen the system for our community," says Van Iersel.
By Saturday, a week after the attack, everything was back online. Wassink adds, "That was a tense moment. We had to test and validate the systems. Is everything working? Did anything break during the downtime? We did this with sixty LIS team members in a lecture hall."
Aftercare
Even with all systems back online, the work wasn’t finished. "You need to ensure proper aftercare," says Van Iersel. "A key part of this was addressing the research infrastructure. During the crisis, the focus was on supporting the educational organization. However, the cyberattack also significantly impacted our researchers, as they couldn’t connect with their research setups on our network. We only began addressing that issue afterward."(The story continues below the box.)
How researchers were affected by the cybercrisis
Sandor Schmikli, Product Area Lead Research at LIS, together with Edwin van den Heuvel, Dean of Mathematics and Computer Science, was responsible for identifying and resolving all the issues the attack caused for researchers. One of those affected was Professor Federico Toschi.Lessons
Naturally, there are many lessons to be learned from a cybercrisis. Improvements have already been made, such as implementing a new VPN connection with multifactor authentication. The capacity of security services has also been increased to better monitor all’activity.Wassink reflects, "I’ve learned that an organization can be incredibly creative under pressure. In those moments, you realize how quickly you can pivot and work together in crisis mode. Looking back, it was a valuable experience."
Van Iersel adds with satisfaction, "Practicing for situations like this has proven invaluable. If we hadn’t prepared, we might not have had the courage to shut down all network connections that night. The consequences for our university could have been far worse."
Reports
By mid-May, the external reports on the cyberattack will be finalized. FOX-IT, a cybersecurity agency that supported our university during the crisis, conducted a forensic investigation. Additionally, COT, the Institute for Security and Crisis Management, is evaluating the performance of our crisis organization. "We’ll also be sharing these findings with the public," says Van Iersel. "This way, not only we, but others too can learn from our experiences."(The story continues below the box.)
Ongoing race
The two are under no illusion that more attacks won’t come in the future. Van Iersel says, "It’s an ongoing race between security experts and hackers, a rat race to see who can act fastest. They may have beaten us once, but that has given us invaluable insights to make improvements. An attack won’t succeed the same way again.""Information security is also about people. If you don’t handle your login credentials properly and reuse your passwords, you risk having your data exposed and misused," warns Wassink.
Loopholes
"I hope that now more than ever, people understand that they are responsible for both their own and our university’s online security. If you create backdoors or share passwords within a team, you’re essentially opening the doors to our university for those who shouldn’t be here and have malicious intentions.""We’re more vigilant than ever and have implemented additional security measures. We’re monitoring everything more closely and accelerating our improvement processes. I’m confident that our university is on track for a safe and secure future," Wassink concludes.