New Zealand university operating despite cyberattack

New Zealand’s third-largest university has been able to continue operating despite a cyberattack that forced officials to isolate affected servers.

The Auckland University of Technology serves more than 29,000 students across three campuses in the country’s largest metropolitan area.

Jeremy Scott, senior corporate communications manager at the university, told Recorded Future News that the school recently experienced a cyber incident “involving unauthorized access to its IT environment by an unknown third-party.”

“Normal university operations and teaching continue both on campus and online, and disruption to AUT services has been minimal. AUT took immediate action to contain and isolate potentially affected servers and implemented additional security measures in the hours after initial detection,” Scott said.

“Leading external cyber security and forensic IT experts have been engaged to assist with the incident management and conduct a thorough investigation. AUT has been advised that this investigation may take some time to complete.”

The university has reported the incident to New Zealand’s National Cyber Security Centre and the Office of the Privacy Commissioner.

The Monti ransomware gang took credit for the attack on Thursday, claiming to have stolen 60 gigabytes of data from the university, giving them a deadline of October 9 to pay an undisclosed ransom.

The group emerged in June 2022 and recently restarted operations after a two-month break – adding at least 13 apparent victims from the legal, financial services, and healthcare sectors to their leak site.

Monti was first discovered shortly after the infamous Conti ransomware group went out of business. Several researchers, including Emsisoft threat analyst Brett Callow and Recorded Future ransomware expert Allan Liska, said the group’s code was very similar to the one used by the Conti group. (The Record is an editorially independent unit of Recorded Future.)

Due to the fact that Conti’s source code was leaked after it publicly expressed support for Russia’s invasion of Ukraine, researchers are split on whether Monti is simply an imitator or an actual successor.

Trend Micro noted that the Monti hackers seemed to be imitating their predecessors, choosing a similar name and copying Conti's attack tactics.

“The name comes from the fact that they were one of the new breed of Franken-ransomware groups relying on stolen code. Their first ransomware attacks used leaked Conti code,” Liska explained.

“Since their start they have rewritten the code and added a Linux variant. They went quiet for a few months earlier this year but started hitting organizations again a couple of months ago. They are a 3rd or 4th tier group, but as we’ve seen a lot this year, even 3rd and 4th tier groups can do damage.”

Conti actors previously caused immense damage to New Zealand’s healthcare system during a 2021 ransomware attack on the Waikato District Health Board IT systems. The attack brought down all of the computers and phones at hospitals in Waikato, Thames, Tokoroa, Te Kuiti and Taumaranui.

At the time, the hospital’s chief executive called it the “probably the biggest cyberattack in New Zealand's history.”

A ransomware attack on Mercury IT, a widely used managed service provider (MSP) in New Zealand, disrupted dozens of organizations in the country, including several government departments and public authorities in December.