Cyber-attack on
IT systems Cyber-attack on IT systems

At the end of December, the information and communications infrastructure at HAW Hamburg was targeted by hackers. This was determined on 29 December 2022. Based on what we know to date, the hackers used decentralised IT systems to manually work their way  into HAW Hamburg's central IT and security systems via the network. Using this path, they also obtained the administrative rights for the central storage systems and compromised the central data storage. They then used the administrative rights to begin encrypting various virtualised platforms and deleting stored backups.

HAW Hamburg has filed a complaint with the cyber-crime division of the Landeskriminalamt. The Hamburg commissioner for data protection and freedom of information has been notified in compliance with article 33 of the General Data Protection Regulation, as has CERTnord, and the information about those impacted was published on 6 January 2023.

Upon the publication of personal information on the so-called darknet on 5 March 2023, those impacted were again informed pursuant to article 34 of the GDPR. Individuals will be personally notified by post if an analysis of the data indicates a high risk to their personal rights and freedoms.

Students can now use their new HAW account (w...123@haw-hamburg.de) to sign into myHAW via myhaw.haw.tuhh.de.

In addition to the access code for the energy-costs subsidy, you can also find your enrolment and BAföG (student financial aid) certificates on myHAW. It is also possible to change your address and submit leave and deregistration requests.

It is not currently possible to view your grades or to register for courses via myHAW.

If you have only recently applied and do not yet have a HAW account, please continue to use the button at the top right side of the web page – for example, to download your letter of acceptance. Please note that you need to be enrolled as a student in order to download certificates and applications following login to your HAW account.

Together with the ITSC, the staff of the KOMWEID project have built a new virtual learning environment (Übergangsmoodle), which has been online since 6 March: moodle.haw-hamburg.de.

Instructors can upload their course materials to the new platform. 

Students will receive the enrolment codes for their courses from their instructors at the beginning of the semester.

Additional information about Übergangsmoodle

The new installation of Microsoft 365 has also changed the verification process for Adobe products. HAW Hamburg employees can now use the same login information for Adobe as for Microsoft 365 (w...123@haw-hamburg.de, the new password and two-step verification). 

Students who use Adobe products through the HAW Hamburg network also need to use their new user ID to log in.

Students and employees can now sign in with their new user ID and password and set up two-step verification at www.office.com. The new HAW account (w...123@haw-hamburg.de) also works for various other online services: Übergangsmoodle, myHAW (for students) and the Adobe licence.

Information about the new HAW account and two-step verification

All of the multifunctional printers have been checked by the manufacturer for malware. It is now possible to copy and to print documents by putting them on a USB stick and connecting this to the printer. The printers will remain disconnected from the network.

The WLAN network is now available again and is functioning properly across the entire university.

Because the identity management system has not yet been rebuilt, a QR code that can be used to log in is posted at the university.

Please note: Even with access to the WLAN network, it is still not possible to access the HAW Hamburg server. The university is simply providing Internet access.

The landlines at HAW Hamburg are now working again. You can receive and make calls both within the university and externally. However, because the configuration servers that control the telephones are currently not available, it is not possible to change the settings at the moment.

During the cyber-attack on HAW Hamburg's IT infrastructure, the attackers accessed the university's central IT systems. Since 5 March 2023, we have been aware that data stolen during the attack have been published on the so-called darknet (please see the information provided pursuant to article 34 of the GDPR on 9 March 2023). In some cases criminals use stolen data for fraudulent activities such as phishing mails or to purchase items on the Internet using a fake identity.

We therefore want to ask you once again to be particularly vigilant. In the following, we provide information about common scams and how you should respond:

A.    Phone calls (from an individual or an automated voice) 

Criminals are increasingly pretending to be officers from Europol, Interpol or the Federal Criminal Police Office (BKA). This type of fake call could be connected to the cyber-attack at HAW Hamburg but doesn't necessarily have to be. Please remember: The police and other investigative agencies will never call you or require you to provide personal information via telephone. Nor do other government agencies and banks make such calls. If you follow the instructions, you may unknowingly be redirected to a number charging very high fees. Additionally, the perpetrators may also attempt to obtain additional information from you during the call in order to use it for other criminal activities.

How should you respond? 

1.    Do not follow the instructions, do not become caught up in a conversation and do not provide any information. Note the caller's number and hang up.
2.    Block the number and block any other numbers that have contacted you against your wishes.
3.    You can also submit a complaint about the number to the  Bundesnetzagentur.

B.    Commercial fraud on the Internet

In many cases, stolen personal and address information is also used to commit commercial fraud on the Internet – that is, to purchase items on the Internet in another person's name. The perpetrators order products and have them delivered to a package pick-up station or an alternative address. The invoices or, in some cases, collection letters then go to the unwitting victim of the theft.

How should you respond? 

1. Make a report to the police immediately if your identity has been used fraudulently. In your report to the police, please note the police file number for the cyber-attack (LKA541/1K/0870845/2022) if it is possible that the fraud could be linked to the cyber-attack at HAW Hamburg and the publication of your information on the darknet.
2. If you have received invoices, warnings or packages that you have not ordered, contact the company that sent them (be careful with supposed invoices that have been sent to you via email, as mails with the subject line 'Invoice' frequently contain files that can install malware on your device).
3. Keep in mind that any legal collection notices you may have received must be objected to before the applicable deadline.
4. Report identity fraud to the large credit agencies. You can find the forms for doing so at schufa.de and crifbuergel.de. If you would like to be certain that your identity has not been used to carry out criminal activities such as Internet fraud you can, after waiting a while, request a free credit report from the main credit agencies such as Schufa or CRIF in order to determine if unknown criminals have been using your name for their activities.
5. If you discover that fraud has been carried out in your name, it can also be worthwhile to request a so-called 'Einmeldung' (logging of the information) at the bigger credit agencies to make it more difficult for unknown criminals to misuse your identity.
6. Please bear in mind, though, that in this case companies with which you wish to conduct business and set up contracts will also be informed by the credit agencies that you have been the victim of identity fraud. This can result in your own contracts being subjected to more rigorous controls. This may mean that additional documents or proof of identity are requested and the processing time is longer.

C.    Phishing attempts 

Phishing is when a third party uses fake websites, emails or text messages to impersonate trustworthy individuals, companies or organisations. The goal of the attacker in such cases is to obtain additional personal information or to infect your device with malware.

How should you respond? 

1. Always check the sender of the emails you receive by clicking on the sender's address. But please also note that even familiar sender addresses can be faked or used without permission by unauthorised people.
2. Pay attention to spelling mistakes or other conspicuous details (e.g. no greeting, different language, supposed urgency), which usually indicate that it is a phishing mail.
3. Do not open any attachments or links in suspicious emails. These can contain malware, which can damage your device or extract personal information such as bank account details from your device, which are then used for criminal activities.
4. If you are unsure, use another mode of contact (e.g. phone) to ask if the email really is from the supposed sender.

Based on the information available at this time, the risk to your personal computer is currently no greater than usual. This is also the case for devices that are or were connected to the university WLAN and/or which are/were used to access applications used at the university, such as MS Teams. In addition to the information about using your device, please also observe the security tips regarding phishing mails and fraud attempts. The HAW Hamburg ITSC offers the following security-related pointers for your personal computer/laptop:

1. Check your device and your removable storage devices with antivirus software

Check whether your device has been infected with malware. In addition to your device, you should also check the data on USB sticks and other removable storage devices you have used. Numerous antivirus programmes are available which can help identify whether your device or storage device has been compromised.

HAW Hamburg has a campus licence for the Sophos antivirus software. The campus licence allows all HAW Hamburg staff and students to use the Sophos software free of charge, both at the university and at home:

Information about installing the Sophos antivirus software.

A list of other virus scanners for different operating systems is provided here:

List of Windows antivirus programmes (Chip.de) 

List of macOS antivirus programmes (Chip.de)

It is possible that you will receive a malware notification on your device when you check it. However, such notifications are not necessarily all linked to the cyber-attack on HAW Hamburg. Only specific notifications may be related to the malware used for the cyber-attack.

If the antivirus software cannot delete or neutralise the malware identified, please contact: ticket (at) haw-hamburg (dot) de

2. Change your passwords
Change your passwords for all programmes used internally at the university and use only secure passwords. Please make especially sure to change your password for MS Teams and avoid using passwords that you have already used. For guidance on choosing secure passwords, please see the information from the Federal Office for Information Security: Creating secure passwords

3. Use an up-to-date operating system and carry out the security updates
Carry out regular security updates for your computer's operating system. The big companies (Microsoft, Apple, Linus) provide monthly updates at set intervals which remedy security gaps in the systems without requiring that the device be reset. If you update your smartphone and computer regularly, they are protected against threats from the Internet and won't become infected with malware in the first place.

Once you have carried out these steps, you can work safely using your device.

As a general measure, HAW Hamburg's ITSC recommends implementing a further level of protection for using your computer or laptop:

1. Create a backup of the data from your device using a USB stick or other removable storage device.
2. Check the data on the external device using an antivirus scanner. You can follow the steps outlined above to do this.
3. If your device has been infected with a virus and the antivirus programme cannot neutralised the malware it has detected, it is recommended that you reset the device. You can use the following guidelines to do so, regardless of which operating system you have:

Guidelines for Windows devices

Guidelines for macOS devices

Guidelines for Linux Ubuntu devices

You can find more information about using your computer safely on the Federal Office for Information Security website.

The ITSC has provided the following guidelines for the secure use of computers that are administered centrally by the ITSC:

1. Turn on your device and sign in locally.

2. Turn off the proxy setting on your device. (instructions in pictures)

• a.    To do this, select the search function, which is located on the Start menu.
• b.    Enter 'proxy' in the search field. The field 'Proxyeinstellungen ändern (Change proxy settings)' will appear.
• c.    Select this field.
• d.    Deactivate the options 'Einstellungen automatisch erkennen (Automatically recognise settings' and 'Proxyserver verwenden (Use proxy server)'.

3. Check your device using the Sophos virus scanner
A virus scanner from Sophos is installed on your device. Use this to scan your computer for malware. The Sophos virus scanner works with so-called virus signatures, which means that it contains a database with the fingerprints of all known viruses. It can therefore automatically recognise the virus signature of the malware used in the cyber-attack on HAW Hamburg.

Update from 27 January 2023: At the moment, Sophos cannot be updated or is not available on some computers. For this reason, USB sticks with the current version of Sophos will be distributed in the various departments and units at the university on 30 January 2023. On those computers labelled 'ITSC...-...-', the virus scan needs to be carried out by an ITSC staff member. Appointments are currently being organised. On all other computers, the user can carry out the scan using the USB stick.

4. If your device is infected with malware, please contact the ITSC
If the Sophos virus scanner notifies you that it has detected malware, please contact the ITSC at the following address: ticket (at) haw-hamburg (dot) de

After taking these steps, you can work safely with your device. You can use it securely with both the HAW Hamburg WLAN and your private WLAN.

Thousands of passwords, user names and accounts are hacked each year. Social networks and entertainment sites are among the most common targets of phishing attempts. There are various online portals you can use to check whether your email address has been compromised. They compile information about known leaks and make it possible to search for email addresses. One of the most comprehensive services is Have I been Pwned?, which you can find at haveibeenpwned.com.

If you receive the notification 'Oh no – pwned', this means that the email address has been published in one or more leaks. Information about which leak this was is indicated on the website. In this case, what applies for everyone is even more important for you:

1. Select a strong password.
2. Use two-factor authentication whenever possible.
3. Select the 'Subscribe to notification' option from haveibeenpwned.com.

The website outlines these points under '3 steps to better security'.

The Rechenzentrum Bergedorf can be contacted via this email address: rz (at) ls-haw-hamburg (dot) de

In the other faculties, please contact the person/unit that issued you the computer/device. If you are not able to identify a contact person via this route, you can send a mail to ticket (at) haw-hamburg (dot) de. Please be sure to indicate whether you are an employee as well as the department or administrative unit you work for.

Students and employees who are having problems with their private computer can also contact ticket (at) haw-hamburg (dot) de