Social media platforms such as Twitter and Meta have been assisting Munster Technological University (MTU) in its efforts to prevent confidential information about its staff and students from being widely published on the internet, the High Court has heard.
Mr Justice Brian O’Moore was informed of the co-operation on Thursday when he agreed to extend an injunction that was first obtained last month by MTU shortly after a cyberattack on the college.
The injunction prevents the hackers and anybody else who has knowledge of the order from selling, making available to other parties, or publishing the college’s data.
On Thursday the judge was told 6GB of data taken from MTU’s computer system had been made available for publication by the hackers, believed to be based in Russia, after the college refused to pay the ransom.
While it might seem to be a pointless exercise to make orders against unknown people believed to be in Russia, the judge was satisfied the orders had been effective in preventing MTU’s information from being widely published on mainstream social media platforms and the internet.
In particular, the judge said he was taking account of evidence given by MTU’s president, Margaret Cusack, who said that following the court’s order social media providers such as Reddit, Pinterest, and Meta, Facebook’s parent company, have been co-operating with the University in making sure the data is not published on their platforms.
The judge said that in her sworn statement to the court, Ms Cusack stated that the court’s order was of “great assistance” in MTU’s efforts to prevent its confidential data from being published on the net.
She added that Twitter had liaised with MTU and its advisers over several tweets showing screenshots published by the “dark actors on the Darkweb” that include a folder of some of the information that has been released.
The court noted that MTU’s adviser, KPMG, has been providing a daily monitoring service and informs the college of any reference of the attack and the confidential data that appears on the net.
MTU also remains in contact with the Data Protection Commission, gardaí, and the National Cyber Security Centre, the court heard.
The cyberattack on MTU’s IT system detected early last month is believed to have been carried out by a group of individuals most likely based in Russia or another former State of the Soviet Union calling themselves Alpha or BlackCat.
Investigations carried out by experts retained by MTU claim the group is suspected of being made up of former members and affiliates of the ransomware group Conti, which conducted the cyberattack on the HSE in May 2021.
Following the attack, the college received a ransom note from the hackers demanding to be paid a significant amount of money in exchange for not publishing confidential information the attackers claim to have obtained from MTU.
MTU’s lawyers returned to the court on Thursday seeking to extend orders preventing the currently unknown people behind the attack, and anyone else who has knowledge of the injunction, from publishing, making available to the public, or sharing any of MTU’s confidential material.
The order also requires the defendants or any other person in possession of the confidential data to hand over any such material they possess back to MTU.
Imogen McGrath SC, with Stephen Walsh BL, instructed by Arthur Cox solicitors, told the court that the college did not pay the ransom, resulting in the hackers releasing 6GB of information about MTU on to the Darkweb on the night of February 12th.
The exact figure demanded by the attackers was not disclosed in open court. In their encrypted ransom note to MTU BlackCat said: “Greetings from Alpha aka BlackCat”.
The note went on to warn MTU that if refused to make a payment it would make targeted voice calls to MTU’s clients and competitors, launch “powerful” DDoS attacks on all of MTU’s external services discovered during the attack, and make all the stolen files available to the public.
“We would like to warn you that in case of you being silent ignoring our messages, wasting time or not complying to our rules and terms, devastating DDoS attacks on your serves will start.”
“Also, if we don’t come to an agreement with you regarding the payment, we will start looking for the customers for your personal data. In case that we will not find customers for your data, we will post it for everyone in our blog. This blog is being daily monitored by hundreds of media portals.”
“All of your data will be published in our collections, which each file is indexed and available for free search.”
The group, which also included links to its blog and about its activities on the ransom note, also said that once payment came through it would “give its word” that it would “not perform attacks on you in the future” and provide proof that it had securely deleted the data taken.
If also said it would suggest an approved outsourced data recovery team that had “successfully worked with us on multiple occasions”.
Counsel said that the hackers were served with the court orders shortly after MTU’s lawyers obtained the injunction and had also put BlackCat on notice of its application to have the orders extended.
In reply to MTU’s legal action the hackers replied: “What are you on about” said they only had a short time before their deadline, adding: “Nothing will help you other than complying to our rules and terms.”
Counsel said that while there had been no further contact from BlackCat it was clear from the responses that the defendants had “no intention of complying with the courts orders”.
After granting the order sought by MTU, Mr Justice O’Moore said that he would issue a full written judgment on the application at a later date.