Munster Technological University is being blackmailed and held to ransom by a group of hackers believed to be based either in Russia or part of the former Soviet Union, the High Court has heard.
The cyber attack on MTU's IT system, which was detected in recent days, is believed to have been carried out by individuals in a ransomware group known as ALPHV aka BlackCat or Noberus, the court heard.
MTU claims that those suspected of carrying out the attack are understood to be made up of former members of the 'REvil' ransomware group, which in 2022 attacked a supplier of Apple and was proven to be based in Russia.
A late sitting of the High Court last night heard that the college received a ransom note demanding what Mr Justice Garrett Simons was told was a significant amount of money or else it will publish confidential information the attackers claim to have obtained from MTU's IT system about the university's staff and students.
MTU will not be paying any ransom, the court heard.
While the college does not know at this stage the full extent to which BlackCat has obtained its data it is very concerned about the attackers' threat to publish any material that may have been taken from the college's computer system.
If the money was not paid the attackers threatened to sell and or publish confidential information and data about the college's staff and students allegedly obtained from MTU's IT system.
The exact figure demanded by the attackers was not disclosed in open court.
As a result, MTU represented by Imogen McGrath SC, with Stephen Walsh Bl instructed by Arthur Cox solicitors, obtained an emergency temporary injunction preventing the currently unknown persons behind the attack, and anyone else who has knowledge of the order, from publishing, making available to the public, or sharing any of the university's confidential material.
The order also requires the defendants or any other person in possession of the confidential data to hand over any such material they may have to MTU.
Seeking the orders, Ms McGrath said that the college's operations and services to its 18,000 students have been significantly disrupted as a result of the attack.
The injunction has been sought in order to protect MTU students and staff's personal data and prevent BlackCat and anyone else from taking advantage of the breach of its IT system, and from breaching any property and privacy rights of those whose data may be affected.
Investigations by experts into suspicious activities that were first detected in MTU's IT system on Sunday 5 February are continuing, counsel said.
However, MTU is concerned that data, including personal data, financial information, confidential and commercial sensitive data of its students, employees and third parties may have been accessed and extracted by those behind the attack.
Counsel said that an encrypted ransom note was uncovered by MUT's IT team. The note contained a link that was followed by the National Cyber Security Centre.
Counsel said that a page on the 'dark web', a collection of websites that can only be accessed by a specific browser, was located where the ransom demands were outlined.
The demand was placed by BlackCat, and it sought payment of a specific sum by 11.45pm on Friday 10 February.
If the money was not paid BlackCat threatened to publish the date it claims to have obtained from MTU.
It was clear that the intention of those behind the attack was to "blackmail and extort MTU", counsel said.
The attacker's actions to date have caused substantial reputational and financial loss to the college, counsel said.
While nothing has been published to date, MTU was concerned that unless it obtained the order from the High Court there was a serious risk that the material will be published online.
Granting the orders, Mr Justice Simons said that he was satisfied this was a case where an injunction should be granted on an ex-parte basis, where only one side was present in court.
The judge added that he was further satisfied to make orders allowing MTU's lawyers serve notice of the court's order on the parties believed to be behind the cyber attack via the dark net page where the ransom note was posted.
The matter will return before the court later this month.
In a statement this morning MTU said: "MTU has engaged specialist services to closely monitor the internet for any possible leak of data.
"While the forensic investigation is ongoing to ascertain to what extent any personal data has been removed from MTU systems, the obtaining of this court order is one of a number of measures being taken by MTU in response to this incident and to mitigate its effects.
"All possible affected users should be extra vigilant in respect of potential attacks by email or SMS or other unsolicited communications."
'Some businesses and organisations may feel they have no choice' - cybercrime expert
Commenting on the injunction, cybersecurity expert Brian Honan, CEO of BH Consulting said it was aimed primarily at anyone who might publish or buy any information obtained in the breach, not at the criminals behind the attack.
"They've already broken the law," Mr Honan said, "so another injunction isn't going to deter them any further.
"But it's really in case other people either buy that information from the criminals, or come across the information in some other ways that they would be prevented from publishing the information on their own websites, on their blog posts, or whatever.
"And also, they will be compelled to hand that data back over to the authorities as well. So it's kind of trying to limit the spread of the information and onto the internet."
Commenting on the group named during the High Court injunction proceedings, Mr Honan said: "They are a known Russian cybercrime gang, who are based out of Russia or former Soviet states, they have been targeting and been active for the past year, targeting institutions all over the world.
"There is no evidence there's direct connections to the Russian government. But in many cases, the Russian government do turn a blind eye to the activities of these criminal gangs."
MTU have said they will not pay any ransom, but even if they did, Mr Honan said there was no guarantee that being given a "key" would help them get their systems back up and running quickly.
"The most preferred way is not to pay criminals money, because in the end, you're giving criminals money, which enables them and encourages them to carry out further attacks," Mr Honan said.
"Some businesses and organisations may feel they have no choice but to pay the ransom to get the key back to get their data back.
"But the important thing to remember is, even though if you pay the ransom, and you get the key, the software to get your information back, you still have a lot of work to do to recover your systems.
"And we can see that with the HSE. In the HSE attack, they got the key back for free from the ransomware gang, but yet it still took six, nine months, and even longer for some of those systems to be recovered.
"So paying for the key is no guarantee you're going to get your system back quickly."
