“We Mustn’t Turn our University into a Fortress”

How were the hackers able to access the university network?

Heuveline: I can't say anything definite about this attack since investigations are still ongoing. But cyberattacks are always multilayered. They are not started by one particular email that someone clicks on carelessly. It is much more subtle. Hackers start discreetly. They gain a foothold in the network in a corner somewhere. From there they look around and seize upon any vulnerability. You have to imagine it like guerilla warfare. Such attacks sometimes take months to prepare.

How come Heidelberg University got off so lightly?

Heuveline: We were certainly lucky but I also have a very good team. We assessed the first signs correctly and recognized the danger.

What was the hackers' goal?

Heuveline: Such attacks mostly aim to encode data, and to paralyze and blackmail the institution.

Was data stolen?

Heuveline: Yes. Email addresses, names and coded password details, so-called hashes. We assume that no research data or other data was stolen.

Do those affected have to react?

Heuveline: No, because we directly called on all university members to change their passwords since the hackers would certainly have been able to decode the stolen password details after a while. So that was absolutely necessary. However, the effort was immense. We're talking about 60,000 accounts. At URZ we had to actively support around 20 percent of the persons affected in changing their passwords. Another step was that university services and websites were only reachable via VPN or the university network - and in some cases still are. In order to use VPN, you need a Uni-ID and two-factor authentication. That does not give absolute protection but is still a distinct obstacle for hackers.

Why is it taking so long for all websites to be reachable again without restrictions?

Heuveline: Two conditions have to be met for a service or a webpage to go back online: first, competences must be clear. We have to know what institution a server belongs to and who is responsible. The second condition is security. In future we are not going to accept any servers that the vulnerability check assesses as highly critical. Meanwhile we have released over 170 services again. We still have 30 to 40 cases to finalize. It is a very complex process but it is also a contribution to our security in the future. We will now conduct such a review on a regular basis.

When can university members access their emails again without VPN?

Heuveline: I'm aware that the present email access is annoying and a burden for many, particularly on mobile devices. That's naturally not going to last, but it was a necessary step. So please bear with us. It's of course my wish - as a user, too - that we can return to normality. If that should not be possible in the near future, we will at least implement solutions that are more user friendly.

Science and research institutions are regarded as especially popular targets for attacks by cyber criminals. Why is that?

Heuveline: First, we have a valuable asset - our data. A university thrives on innovation and is interesting through that alone. The other factor is our structure. Universities are open institutions - and we want to stay that way. We mustn't make the mistake of turning our university into a fortress. That would place massive burdens on research and cooperation. So we take risks that others don't have - and that makes us more vulnerable to hacker attacks.