Cyber-attack on
IT systems Cyber-attack on IT systems

At the end of December, the information and communications infrastructure at HAW Hamburg was targeted by hackers. This was determined on 29 December 2022. Based on what we know to date, the hackers used decentralised IT systems to manually work their way  into HAW Hamburg's central IT and security systems via the network. Using this path, they also obtained the administrative rights for the central storage systems and compromised the central data storage. They then used the administrative rights to begin encrypting various virtualised platforms and deleting stored backups.

HAW Hamburg has filed a complaint with the cyber-crime division of the Landeskriminalamt. The Hamburg commissioner for data protection and freedom of information has been notified in compliance with article 33 of the General Data Protection Regulation, as has CERTnord, and the information about those impacted was published on 6 January 2023.

Upon the publication of personal information on the so-called darknet on 5 March 2023, those impacted were again informed pursuant to article 34 of the GDPR. Individuals will be personally notified by post if an analysis of the data indicates a high risk to their personal rights and freedoms.

Students can now use their new HAW account (w...123@haw-hamburg.de) to sign into myHAW via myhaw.haw.tuhh.de.

In addition to the access code for the energy-costs subsidy, you can also find your enrolment and BAföG (student financial aid) certificates on myHAW. It is also possible to change your address and submit leave and deregistration requests.

It is not currently possible to view your grades or to register for courses via myHAW.

If you have only recently applied and do not yet have a HAW account, please continue to use the button at the top right side of the web page – for example, to download your letter of acceptance. Please note that you need to be enrolled as a student in order to download certificates and applications following login to your HAW account.

Together with the ITSC, the staff of the KOMWEID project have built a new virtual learning environment (Übergangsmoodle), which has been online since 6 March: moodle.haw-hamburg.de.

Instructors can upload their course materials to the new platform. 

Students will receive the enrolment codes for their courses from their instructors at the beginning of the semester.

Additional information about Übergangsmoodle

The new installation of Microsoft 365 has also changed the verification process for Adobe products. HAW Hamburg employees can now use the same login information for Adobe as for Microsoft 365 (w...123@haw-hamburg.de, the new password and two-step verification). 

Students who use Adobe products through the HAW Hamburg network also need to use their new user ID to log in.

Students and employees can now sign in with their new user ID and password and set up two-step verification at www.office.com. The new HAW account (w...123@haw-hamburg.de) also works for various other online services: Übergangsmoodle, myHAW (for students) and the Adobe licence.

Information about the new HAW account and two-step verification

All of the multifunctional printers have been checked by the manufacturer for malware. It is now possible to copy and to print documents by putting them on a USB stick and connecting this to the printer. The printers will remain disconnected from the network.

The WLAN network is now available again and is functioning properly across the entire university.

Because the identity management system has not yet been rebuilt, a QR code that can be used to log in is posted at the university.

Please note: Even with access to the WLAN network, it is still not possible to access the HAW Hamburg server. The university is simply providing Internet access.

The landlines at HAW Hamburg are now working again. You can receive and make calls both within the university and externally. However, because the configuration servers that control the telephones are currently not available, it is not possible to change the settings at the moment.

Based on the information available at this time, the risk to your personal computer is currently no greater than usual. This is also the case for devices that are or were connected to the university WLAN and/or which are/were used to access applications used at the university, such as MS Teams. In addition to the information about using your device, please also observe the security tips regarding phishing mails and fraud attempts. The HAW Hamburg ITSC offers the following security-related pointers for your personal computer/laptop:

1. Check your device and your removable storage devices with antivirus software

Check whether your device has been infected with malware. In addition to your device, you should also check the data on USB sticks and other removable storage devices you have used. Numerous antivirus programmes are available which can help identify whether your device or storage device has been compromised.

HAW Hamburg has a campus licence for the Sophos antivirus software. The campus licence allows all HAW Hamburg staff and students to use the Sophos software free of charge, both at the university and at home:

Information about installing the Sophos antivirus software.

A list of other virus scanners for different operating systems is provided here:

List of Windows antivirus programmes (Chip.de) 

List of macOS antivirus programmes (Chip.de)

It is possible that you will receive a malware notification on your device when you check it. However, such notifications are not necessarily all linked to the cyber-attack on HAW Hamburg. Only specific notifications may be related to the malware used for the cyber-attack.

If the antivirus software cannot delete or neutralise the malware identified, please contact: ticket (at) haw-hamburg (dot) de

2. Change your passwords
Change your passwords for all programmes used internally at the university and use only secure passwords. Please make especially sure to change your password for MS Teams and avoid using passwords that you have already used. For guidance on choosing secure passwords, please see the information from the Federal Office for Information Security: Creating secure passwords

3. Use an up-to-date operating system and carry out the security updates
Carry out regular security updates for your computer's operating system. The big companies (Microsoft, Apple, Linus) provide monthly updates at set intervals which remedy security gaps in the systems without requiring that the device be reset. If you update your smartphone and computer regularly, they are protected against threats from the Internet and won't become infected with malware in the first place.

Once you have carried out these steps, you can work safely using your device.

As a general measure, HAW Hamburg's ITSC recommends implementing a further level of protection for using your computer or laptop:

1. Create a backup of the data from your device using a USB stick or other removable storage device.
2. Check the data on the external device using an antivirus scanner. You can follow the steps outlined above to do this.
3. If your device has been infected with a virus and the antivirus programme cannot neutralised the malware it has detected, it is recommended that you reset the device. You can use the following guidelines to do so, regardless of which operating system you have:

Guidelines for Windows devices

Guidelines for macOS devices

Guidelines for Linux Ubuntu devices

You can find more information about using your computer safely on the Federal Office for Information Security website.

The ITSC has provided the following guidelines for the secure use of computers that are administered centrally by the ITSC:

1. Turn on your device and sign in locally.

2. Turn off the proxy setting on your device. (instructions in pictures)

• a.    To do this, select the search function, which is located on the Start menu.
• b.    Enter 'proxy' in the search field. The field 'Proxyeinstellungen ändern (Change proxy settings)' will appear.
• c.    Select this field.
• d.    Deactivate the options 'Einstellungen automatisch erkennen (Automatically recognise settings' and 'Proxyserver verwenden (Use proxy server)'.

3. Check your device using the Sophos virus scanner
A virus scanner from Sophos is installed on your device. Use this to scan your computer for malware. The Sophos virus scanner works with so-called virus signatures, which means that it contains a database with the fingerprints of all known viruses. It can therefore automatically recognise the virus signature of the malware used in the cyber-attack on HAW Hamburg.

Update from 27 January 2023: At the moment, Sophos cannot be updated or is not available on some computers. For this reason, USB sticks with the current version of Sophos will be distributed in the various departments and units at the university on 30 January 2023. On those computers labelled 'ITSC...-...-', the virus scan needs to be carried out by an ITSC staff member. Appointments are currently being organised. On all other computers, the user can carry out the scan using the USB stick.

4. If your device is infected with malware, please contact the ITSC
If the Sophos virus scanner notifies you that it has detected malware, please contact the ITSC at the following address: ticket (at) haw-hamburg (dot) de

After taking these steps, you can work safely with your device. You can use it securely with both the HAW Hamburg WLAN and your private WLAN.

When they hacked the HAW Hamburg IT infrastructure, the hackers had access to the university's central IT systems. Based on the information currently available, it must be assumed that data were stolen during the attack on these systems. (Please see the information provided on 9 March 2023 pursuant to article 34 of the GDPR.) Among other things, criminals use such stolen data for fraudulent activities such as phishing mails and Internet purchases with false identities.

This means that increased caution with suspicious emails or account activity in online shops is called for. We especially ask that you observe the following guidelines:  

• Do not open attachments or links in suspicious mails. These attachments and links can contain malware, which can damage your device or be used to steal personal information – for example, account information – which can then be used for criminal activities.
• Do not answer these mails. This applies especially to mails that ask you to carry out unusual activities such as making money transfers to alternative accounts or giving out PINS or passwords. 

Login attempts on Amazon and eBay
The ITSC has received several reports from students about login attempts by unauthorised third parties on Internet sites such as Amazon and eBay. After reviewing all the reports to date and taking into account the tactics previously used by the hacker group, it is possible to conclude that these login attempts are not linked to the security incident at HAW Hamburg or the hacker group.

Fraud attempts via SMS 
The ITSC has also received numerous reports of attempted fraud via SMS. These messages ask the recipient to open a fraudulent webpage (phishing page) under the pretext of an Apple Pay connection or a suspicious payment. On this page, they are asked to enter online banking information, bank card information and other personal information. Such SMS messages are a well-known scam and are not linked to the security incident at HAW Hamburg or the same criminal group. Nevertheless, the ITSC strongly warns against entering information on such phishing pages.

WhatsApp (grand)child trick
Fraudulent activities via the WhatsApp messenger service have also been reported. In this case, the individuals claim that they are the recipients' (grand)children and say that they have a new phone number because the old smartphone has been broken or lost. This scam is also a well-known tactic of fraudsters. It is not connected with the security incident at HAW Hamburg or the same group of criminals. 

Thousands of passwords, user names and accounts are hacked each year. Social networks and entertainment sites are among the most common targets of phishing attempts. There are various online portals you can use to check whether your email address has been compromised. They compile information about known leaks and make it possible to search for email addresses. One of the most comprehensive services is Have I been Pwned?, which you can find at haveibeenpwned.com.

If you receive the notification 'Oh no – pwned', this means that the email address has been published in one or more leaks. Information about which leak this was is indicated on the website. In this case, what applies for everyone is even more important for you:

1. Select a strong password.
2. Use two-factor authentication whenever possible.
3. Select the 'Subscribe to notification' option from haveibeenpwned.com.

The website outlines these points under '3 steps to better security'.

The Rechenzentrum Bergedorf can be contacted via this email address: rz (at) ls-haw-hamburg (dot) de

In the other faculties, please contact the person/unit that issued you the computer/device. If you are not able to identify a contact person via this route, you can send a mail to ticket (at) haw-hamburg (dot) de. Please be sure to indicate whether you are an employee as well as the department or administrative unit you work for.

Students and employees who are having problems with their private computer can also contact ticket (at) haw-hamburg (dot) de