Expert: this is how TU/e hackers stayed under the radar for days

Now that Eindhoven University of Technology has shared a report on how the January cyberattack unfolded, we know that hackers gained access via leaked accounts. And that they had access to the system for days without being detected. How did they stay under the radar for so long? And are there ways to detect hackers earlier? We asked cybersecurity expert Patrick Jordens. He is the director of Trusted Third Party (TT3P), a Dutch company specializing in cybersecurity.

How is it possible that hackers were able to remain undetected in the system for days?

"Once a hacker is in, they often do one thing very well: nothing conspicuous. They behave like a normal user, quietly looking around, getting their bearings. What is interesting? Where is the value? Only later do they take action. It's like someone has entered your home unnoticed, quietly sat in a closet, and searched your rooms at night.

You can detect a hacker in your system, but you must know what to look for. And above all, you have to actively hunt instead of just defending. There are special detection and response solutions for this. These give IT administrators insight into events on a computer, such as scripts that have been executed. You gain insight into behavior patterns: who logs in when, from which location? But technology alone is not enough. Employees must also be trained to work with it.

Should companies and institutions hunt hackers more actively?

“They definitely should. New regulations, known as NIS2, also require companies to implement detection and response solutions. NIS2 only applies to socially critical organizations, such as energy and water companies, government agencies, and the food sector. These regulations do not apply to everyone, but it is very important that every organization, large or small, is well protected.”

The TU/e report also stated that hackers were able to retrieve crucial data from a domain controller. What does that mean?

"The domain controller is a central server within a computer network. This server is responsible for authenticating users and devices: it checks whether a username and password are correct and can grant people access to specific folders, printers, or shared drives. You can think of the domain controller as the ‘king of the castle’; a crucial place where you don't want a hacker to be. Anyone who manages to take over this server has access to everything. They can change passwords, give themselves access to systems, and make themselves invisible on the network."

To give other organizations the opportunity to learn from this cyberattack, TU/e is making the investigation reports available. A good move?

"Absolutely. When you look at this situation, you see that it ultimately comes down to human error. By sharing this report, the university is making itself quite vulnerable. Others can learn from this. What's more, other organizations can also learn a lot from what TU/e did very well. The network was taken offline extremely quickly, which prevented the ransomware from spreading and data from being stolen. The incident response was excellent."