Information Events about the IT Attack

According to our current understanding, the University’s Active Directory was copied. You can find out about the data stored in the Active Directory in the information letter of 19 May 2021. A small number of files have now been published on the darknet. We have commissioned additional forensic investigations to establish whether any further data have been breached and will inform you in due course.

We are concentrating on the most important services first. However, we also have to take account of the links between different systems, which may influence the sequence in which services return to operation.

Our aim is to make these services available in the following sequence (updated: 25.5.2021; changes may occur):

• Email: available as a temporary emergency service since 14.5.2021
• tubCloud: available since 28.5.2021
• Mid-June: new password change required to make it possible to use WiFi (eduroam) and VPN
• End of June: SAP core systems, initially without portal or self-service
• Mid-July: Exchange, including access to emails prior to 30.4.2021

Further services and applications will follow. However, it may be several months before all affected systems are available again.

Backups on streamers exist for all services centrally operated by Campus Management (ZECM). According to our consultants, these are in good condition and have not been affected by the attack. However, it is possible that there was a short gap between the last backup and switching off the affected systems on the morning of 30 April 2021.

The infrastructure to access the systems is not currently available and it is consequently not possible to provide backups, even with reduced access rights. However, tubCloud can be accessed again.

According to our current understanding (25.5.2021), there are no indications that private computers and networks have been affected by the IT security incident at TU Berlin. Please make use of standard security measures, such as regular updates and an up-to-date virus scanner.
 

Campus Management (ZECM) will provide a process in due course for restarting computers used by the Central University Administration. However, it is not yet possible to say when this will be. Please check the TU Berlin website and the ZECM homepage for updates. Instructions are currently being developed for independently restarting decentrally managed devices. Information to follow.

The goal is to re-establish our IT services as soon as possible. As such, it is not helpful to consider a change of software in addition to the other measures which need to be taken. Any change of software requires extensive planning. A mix of free and proprietary software has generally worked so far. We would also like to point out that free software is not necessarily more secure.

Structured and documented processes exist for the systems centrally managed by Campus Management (ZECM). These were all fully updated. A wide range of IT systems are used at TU Berlin and it is therefore possible that some decentralized systems were not fully updated.

The password was encrypted using standard preferences recommended by Microsoft. These include NT hashes. To find out more, please refer to the official Microsoft documentation  - "Passwords stored in Active Directory."

A new pay scale system has been in operation for IT positions at TU Berlin since the start of the year. The market for IT staff is very competitive in Berlin and head hunters are also used for some positions.

The IT system at TU Berlin is large and complex. Structured and documented processes exist for the systems centrally managed by Campus Management (ZECM). These were all fully updated. However, it is possible that some decentralized systems were not fully updated.

The IT infrastructure at TU Berlin is not completely based on Microsoft. Indeed we operate more Linux servers than Microsoft servers. As such, TU Berlin is not as dependent on Microsoft as it may sometimes appear. A mix of free and proprietary software has generally worked so far. We would also like to point out that free software is not necessarily more secure.

This question is difficult to answer as the incident is now subject to an ongoing criminal inquiry. TU Berlin has filed criminal charges and is unable to comment on certain aspects, as this could hinder inquiries. You can find out about the data stored in the Active Directory in the information letter of 19 May 2021. A small number of files have now been published on the darknet. We have commissioned additional forensic investigations to establish whether any further data have been breached and will inform you in due course.

According to our current understanding, the University’s Active Directory was copied. You can find out about the data stored in the active directory in the information letter of 19 May 2021. A small number of files have now been published on the darknet. We have commissioned additional forensic investigations to establish whether any further data have been breached and will inform you in due course.

The files published on the darknet were identified with the help of IT crisis consultants HiSolutions AG and further forensic analyses have now been commissioned. As of yet, there are no indications that tubCloud has been affected. 

The password was encrypted using standard preferences recommended by Microsoft: These include NT hashes. To find out more, please refer to the official Microsoft documentation  - "Passwords stored in Active Directory."

According to our current understanding, this is not the case. The Conti hacker group are known for copying and pulling data, but not for altering it. Our forensic analyses currently indicate no data manipulation.

Backups on streamers exist for all services centrally operated by Campus Management (ZECM). According to our consultants, these are in good condition and have not been affected by the attack. These backups also include information regarding exam grades, etc.

It is currently not possible to issue documents. The Office of Student Affairs is hopeful that it will be possible to access the system and provide documents again within the next two weeks. Unfortunately, this will not be possible for students studying in pilot programs (Physics and Historical Urbanization) as the exam management for these programs has already been transferred to SAP.

In the absence of the QISPOS systems, it has been agreed that examiners will decide how students are to register for module examinations. Please refer to the information provided by your examiner during classes or via other means of communication and ensure that you follow their instructions.

There are essentially three options. Your examiner may also provide other options, depending on the technology available for a course.

Students can use the registration form for exams which you can find on the website of the Examination Office. Please ensure that you indicate whether you are taking a course as a compulsory elective module or an elective module, etc. Some academic chairs enable students to register via attendance or require students to sign up for lists provided on the relevant portals.

Turning to the second part of the question: The Examination Office is currently unable to register students for final theses as this requires access to unavailable databases to check requirements. It is also not possible at the moment to process application forms in digital format and store files securely. We hope it will be possible to perform these tasks again within two weeks.

Final theses can be submitted by mail, post, or in person to the information desk in the Main Building. We kindly ask students to refer to the information provided by the Examination Office and ensure that they submit their registration form along with their thesis.

Writing periods for final theses have been suspended until 31 May 2021. If you chose not to take advantage of this, you may apply for an extension as a result of the IT attack. Please do not submit applications by email just yet. Information will be published on the website informing you about how to apply for an extension as a result of the IT attack.

The IT crisis committee established in response to the attack is responsible for prioritization. We are concentrating on the most important services first. However, we also have to take account of the link between different systems, which may influence the sequence in which services return to operation.

Our aim is to make these services available in the following sequence (updated: 25.5.2021; changes may occur):

• Email: available as a temporary emergency service since 14.5.2021
• tubCloud: available since 28.5.2021
• Mid-June: new password required to make it possible to use WiFi (eduroam) and VPN
• End of June: SAP core systems, initially without portal or self-service
• Mid-July: Exchange, including access to emails prior to 30.4.2021

Further services and applications will follow. However, it may be several months before all affected systems are available again.

The goal is to re-establish our IT services as soon as possible. As such, it is not helpful to consider a change of software in addition to the other measures which need to be taken. Any change of software requires extensive planning. A mix of free and proprietary software has generally worked so far. We would also like to point out that free software is not necessarily more secure.