Major social media platforms such as Twitter and Facebook owners Meta have been assisting Munster Technological University in its efforts to prevent confidential information about its staff and students from being widely published on the internet, the High Court has heard.
Mr Justice Brian O'Moore was informed of the co-operation of the social media companies when he agreed to extend an injunction obtained by MTU shortly after last month’s cyberattack on the college, that prevents the hackers, or anybody else who has knowledge of the order from selling, making available to other parties, or publishing the college's data.
In an update to the court the judge was told that 6GB of data taken from MTU's IT system had been made available for publication by the hackers, believed to be based in Russia, after the college refused to pay the ransom.
The judge said he was satisfied to grant the extension sought by MTU, and that he had the jurisdiction to do so.
'Great assistance'
While it might seem to be a pointless exercise to make orders against unknown persons believed to be in Russia, he was satisfied the orders had been effective in preventing MTU's information from being widely published on mainstream social media platforms and the internet.
In particular the judge said he was taking account of evidence given by MTU's President Margaret Cusack who said that following the court's order social media providers such as Reddit, Pinterest, and Meta have been co-operating with the university in making sure that the data was not published on their platforms.
The judge said that in her sworn statement to the court Ms Cusack had stated that court's order had been of "great assistance" in MTU's efforts to prevent its confidential data from being published on the net.
She had added that Twitter had liaised with MTU and its advisors over several tweets showing screenshots published by the "dark actors on the Dark web," showing a folder of some of the information that has been released.
The court noted that MTU's advisors KPMG has been providing a daily monitoring service and informs the college of any reference of the attack and the confidential data that appears on the net.
Darknet
MTU also remains in contact with the Data Protection Commission, the Gardaí, and the National Cyber Security Centre about the attack, the court also heard.
The cyberattack on MTU's IT system, which was detected early last month, is believed to have been carried out by a group of individuals most likely based in Russia or another former state of the former Soviet Union and calling themselves Alpha or BlackCat.
Investigations carried out by experts retained by MTU claim the group is suspected of being made up of former members and affiliates of the ransomware group 'Conti', which conducted the cyberattack on the HSE in May 2021.
Following the attack, the college received a ransom note from the hackers demanding to be paid a significant amount of money in exchange for not publishing confidential information the attackers claim to have obtained from MTU.
MTU's lawyers returned to the court on Thursday seeking to extend orders preventing the currently unknown persons behind the attack, and anyone else who has knowledge of the injunction, from publishing, making available to the public, or sharing any of MTU's confidential material.
The order also requires the defendants or any other person in possession of the confidential data to hand over any such material they possess back to MTU.
No ransom paid
Imogen McGrath SC, with Stephen Walsh Bl instructed by Arthur Cox solicitors, told the court that the college did not pay the ransom, resulting in the hackers releasing 6GB of information about MTU onto the 'Dark web' on the night of February 12th last.
The exact figure demanded by the attackers was not disclosed in open court. In their encrypted ransom note to MTU BlackCat said "Greetings from Alpha aka BlackCat"
The note went on to warn MTU that if refused to make a payment it would make targeted voice calls to MTU's clients and competitors, launch "powerful" DDoS attacks on all of MTU's external services they discovered during the attack, and make all the stolen files available to the public.
"We would like to warn you that in case of you being silent ignoring our messages, wasting time or not complying to our rules and terms, devastating DDoS attacks on your serves will start."
"Also, if we don't come to an agreement with you regarding the payment, we will start looking for the customers for your personal data. In case that we will not find customers for your data, we will post it for everyone in our blog. This blog is being daily monitored by hundreds of media portals."
"All of your data will be published in our collections, which each file is indexed and available for free search."
The group, which also included links to its blog and about its activities on the ransom note, also said that once payment came through it would "give its word" that it would "not perform attacks on you in the future" and provide proof that it had securely deleted the data taken.
Data recovery team
It also said it would suggest an approved outsourced data recovery team which had "successfully worked with us on multiple occasions".
Counsel said that the hackers were served with the court orders shortly after MTU's lawyers obtained the injunction and had also put BlackCat on notice of its application to have the orders extended.
Counsel said that after being served the hackers via a link they had provided on the Darknet. In reply to MTU's legal action, the hackers replied, "What are you on about" and said they only had a short time before their deadline of releasing the information expired and added "Nothing will help you other than complying to our rules and terms."
Counsel said that while there had been no further contact from BlackCat it was clear from the responses that the defendants had "no intention of complying with the courts orders."
The injunction was sought in order to protect MTU students and staff's personal data and prevent BlackCat and anyone else from taking advantage of the breach, and from breaching any property and privacy rights of those whose data may be affected.
Investigations by experts revealed that the attackers claim to have accessed many files including those concerning MTU’s employee records, payments and benefits, gender pay gap reporting, student assistance funds, scholarships, pension details, HR staff files, and staff contract reviews.
The publication or sale of this information, MTU claims was unlawful and constituted breaches of its and the rights of others and caused harm to the college’s staff and students.
After granting the order sought by MTU Mr Justice O'Moore said that he would issue a full written judgement on the application at a later date.
