SRH Hochschule Heidelberg
People

Cyberattack on SRH

SRH Board Member Patrick Mombaur headed the crisis team. He explains how the cyberattack came about, what measures the crisis team took, and what security precautions are necessary to protect against such an attack in the future.

Almost two months after the cyberattack on SRH, most IT systems are running again. Restoring the working environment has taken a lot of effort – not only for the IT staff, but for all employees, who have shown a lot of flexibility in recent weeks. The students have also shown a lot of patience and understanding. SRH Board Member Patrick Mombaur, who headed the crisis team, explains how the cyberattack came about, what measures the crisis team took, and what security precautions are necessary to protect against such an attack in the future.

Mr. Mombaur, on September 19, 2021, SRH became the victim of a cyberattack. What exactly happened?

According to the latest findings, the infrastructure was first penetrated as early as mid-August. Until mid-September, they proceeded in a targeted manner and with criminal energy to broaden their access. They used very professional tools, among other things, to trace user/password combinations and to disguise their activities. On September 19, they had finally gathered enough rights to strike and encrypt our systems in the Karlsruhe data center. Our on-call IT staff were already able to see the full extent of the situation by noon on Sunday, September 19.

How did SRH react to this?

We formed a crisis team on the very same day, consisting of representatives of the Board of Management, Communications, and IT Solutions, as well as external consultants and the managing directors of the affected companies. The crisis team first gained an overview of the situation and took immediate measures to avert greater damage on the one hand, and maintain the ability of the individual companies to work on the other.

What were these measures, specifically?

The attack was primarily directed against our universities and educational institutions; these were the most severely affected. However, we also temporarily took our hospitals and health care companies offline to prevent the hackers from penetrating additional systems and thus causing even more damage. Communication was of course an important issue: We set up emergency addresses and telephone numbers in the first hours after the attack to ensure that our employees as well as our customers could stay in touch. Microsoft Teams – which is cloud-based – as well as our intranet were also important tools that we were able to use for internal communication in the first days and weeks.

You were head of SRH IT Solutions GmbH from 2015 to 2019, you worked in IT for many years before that, and you had already experienced a few cyberattacks. On a scale of 0 to 10, how badly did SRH suffer?

That’s difficult to assess. Other universities and companies have been harmed even more severely. Until this attack, however, I had never experienced an attack so targeted, so professional and so well-prepared over several weeks. The attackers penetrated our systems through multiple computers and prepared their destruction in a very organized manner.

According to a study by Bitkom e.V. (the German Association for Information Technology, Telecommunications and New Media), about three-quarters of the companies surveyed have been victims of a cyberattack in the past two years. Has the danger increased in recent years?

The scope and quality of attacks on companies have increased significantly. Statistics are always a matter of opinion – but in this case, I don’t know of any that indicate the opposite. Hackers have become more professional; they are very well equipped from a technical point of view. They are often cybergangs with financial resources that should not be underestimated.

Could SRH have protected itself better against such an attack?

External experts have confirmed that SRH’s security level was by no means low compared to other universities and healthcare groups – indeed it was above average. But we can certainly protect ourselves even better. This is very comparable to protecting a house against burglars. Unfortunately, there is no 100% protection there either, and it is always a race against the progress of criminals, but all this should not inhibit your efforts to increase your protection to a maximum. In 2022, the focus will also be on a new setup of the SRHK student domain, because this is where the attack took place.

The Mannheim Public Prosecutor’s Office and the State Criminal Police Office are investigating on suspicion of extortion and computer sabotage. Do you have hope that the perpetrators will be caught?

As this is an ongoing case, we cannot say anything about the state of the investigation. However, experience from comparable cyberattacks shows that the chances of finding the hackers are relatively low.

What damage was caused to SRH?

Direct damage was mainly caused by system failures and the associated lack of access to certain systems. This was not easy for our companies and our employees, students and participants.

In addition, a few files were copied and posted on the Darknet. In very few individual cases, personal data was also published. The people concerned were immediately informed and advised.

But the clean-up cost us several weeks of productive work, and that is very painful.

What priority did you follow to restore the IT systems?

Here, it was quite clear: “Safety before speed”! Since we have excellent backups for all our crucial systems, which the hackers were unable to crack despite their attempts, (almost) everything is recoverable. Now, we could have done this in a very quick but uncontrolled kind of manner. But the fact is, after hackers have penetrated, EVERYTHING in the infrastructure and systems must be examined for damage. Unfortunately, it is a common principle of hackers to leave so-called “backdoors” and “sleepers” behind, which, if simply restored quickly without intensive cleaning, they can later unpack themselves and cause the same damage again.

Even if the longer recovery time meant that we had to delay the users of our IT systems longer than was technically possible, I think it was worth it; we want to do everything we can to avoid another case of damage. The process demanded a lot of patience from the staff at the university, and we are very grateful that they showed so much flexibility in this exceptional situation. We also thank the students very much for their understanding.

When will the recovery measures be fully completed?

If you measure the recovery purely mathematically, with the number of clients and servers that are productive again, then we are already well over 90%. We will not be able to restore 100% because systems that are inherently insecure cannot be reactivated. Therefore, this question cannot be answered perfectly. In the next week, we will work on restoring Citrix and various interfaces. We are also making further progress with the mail accounts: here, it is a question of ensuring that all employees have access to their secured OST files again and that the functional mailboxes are fully reactivated. We will emerge stronger from this cyberattack.

Looking back, what were the lessons learned from the cyberattack?

IT security will continue to be a high priority for us, because it is our task as a group to protect the data of our customers and employees from organized crime. In recent months, we have taken many technical and structural measures, but also organizational ones to protect ourselves from attacks in the future and to be able to react quickly. But in the end, we can only set the framework, and it also depends on the attentiveness of users: From issuing secure passwords to the secure use of external data media, we can all help to ensure that such a cyberattack does not happen again. Also, everyone in our universities will have to be more vigilant in ensuring that computers not managed by IT Solutions do not enter SRH networks.

How did you personally experience SRH in crisis mode?

I would like to express my sincere thanks to all employees and our customers who have supported us on the road to recovery over the last few months. It has not been easy for any of us to find solutions in a working environment that was anything but optimal at times to be able to continue serving our customers. Especially in this exceptional situation, our organization has shown itself to be extremely agile and resilient, and I am very proud of how all everyone at SRH has reacted to this crisis.

Mr. Mombaur, thank you for this interview.

Patrick Mombaur ist Vorstand der SRH.
SRH Board Member Patrick Mombaur headed the crisis team.