image

University of Cambridge's Medical School Systems down due to 'Malicious Activity'

The University of Cambridge is constantly ranked among the world’s top universities, with its medical school and vast research facilities among the very best. But for the past month, staff at the prestigious medical school have had work hampered following “malicious activity” on its computer network.

An emailed “staff notice” seen by WIRED, believed to have been sent at the end of February, alerted staff to the disruption and said the university was working to get systems back online as soon as possible. However, weeks later, the incident is still ongoing, and little information has been made public about the nature of the incident.

“IT services provided by the Clinical School Computing Service (CSCS) have been disrupted by malicious activity,” the email reviewed by WIRED says. “We appreciate that some staff and students are experiencing significant disruption to their work and studies, and we are grateful for their patience and understanding.”

The University has confirmed to WIRED that its systems have been impacted, that some services have been voluntarily taken offline, and that while it has “contained” the incident, the disruption is ongoing and its investigations will likely take some time to complete. No data has been taken, it says. The UK’s national cybersecurity body and the country’s data regulator are also looking into the events.

The email message sent to staff last month said a “Critical Incident Management Team” has been set up to handle the response. At the time the message was sent, the email said, there was no access to the local IT network and Wi-Fi, and wired internet access had been turned off in impacted buildings, with the Wi-Fi set to be turned on again that same day.

The CSCS provides IT support to staff and researchers in the university’s School of Clinical Medicine. An archived version of its website says there are more than 5,800 devices on its network, and the team provides computers and servers to staff. The email seen by WIRED says that the CSCS also serves the Department of Zoology, Sainsbury Laboratory, which researches plant life; the Stem Cell Institute; and Milner Institute of the School of Biological Sciences, which researches emerging therapies. All have been impacted.

A University of Cambridge spokesperson confirmed the incident to WIRED, saying that “malicious activity” was found on the Clinical School Computing Service last month. “We took immediate action to contain the incident including voluntarily taking some systems offline,” the spokesperson said in a statement. “As a result, there is ongoing interruption to some services.”

It is not clear what the “malicious activity” entails or whether the activity is an attack by criminal hackers or an incident of a different nature. Multiple staff members at university departments did not respond to questions sent by WIRED about whether their work or research had been disrupted, or they directed questions to the press office as they are not authorized to speak about the incident.

The university spokesperson did not describe the nature of the problem; however, they said a business continuity plan has been implemented to minimize disruption, and all of the other university and college IT systems are working as normal and are not impacted. “This will likely take some time to complete,” the spokesperson said of its ongoing investigation. “Investigations have found no evidence that data has been taken or transferred without authorization. We have also received third-party assurance that the incident is contained.” They say the situation has moved on since the email seen by WIRED was sent, and it is not possible to characterize the level of disruption across all departments.

While little is known about the current “malicious activity,” the University of Cambridge was among a number of academic institutions, including the University of Manchester, hit by a distributed denial-of-service attack on February 19. Hacktivist group Anonymous Sudan claimed responsibility for the DDoS incident—it is unclear whether the ongoing outage is linked in any way. The day after the DDoS, the Clinical School Computing Service posted on X that the disruption to the network appeared to be “largely over,” and a university spokesperson said that normal service “should now be restored” for centrally managed IT services.

The UK’s data regulator, the Information Commissioner’s Office, tells WIRED that the University of Cambridge had made it aware of an incident and that the regulator is “making enquiries.” Meanwhile, a spokesperson for the UK’s National Cybersecurity Center says it is “working with the University of Cambridge to fully understand the impact of an incident.”

The university’s status page for IT issues lists the vast majority of services as being online, with replacements taking place for some routers on its wireless networks. However, at the time of writing, the website for the medical school displays only basic contact information, and the CSCS website appears to be offline and inaccessible. A newsletter from the Stem Cell Institute, sent on February 27, acknowledged there had been “some IT issues on campus” and that it was postponing a seminar as a result. More recent newsletters from the Institute do not reference the issues.

The email sent to staff and seen by WIRED recommended people follow best security practices, including using multifactor authentication for accounts and using strong passwords, and advised that people change their passwords immediately if they receive a notice saying someone else has logged in to their account from another device.