Print this page

A nightmare...

Cyberattack on NWO network cripples activities

It seemed to be a very normal weekend, with the Saturday paper and a walk, until the work telephone of the Director of Operations at NWO-I, Jan van der Boon, kept ringing. ‘I was one of the first people from NWO-I to be informed that NWO has been hacked, but it was not clear what and by whom. It was one of my worst nightmares, and I tried to imagine the impact on NWO-I. I spent the rest of the weekend in Zoom meetings.’

Looking back: what happened?

On 8 February 2021, a group of cybercriminals named DoppelPaymer gained access to the NWO network with ransomware. The criminals demanded a ransom, but NWO decided (as part of the Dutch central government) not to respond to the demands as a matter of principle. NWO did not disclose the amount of ransom demanded. The NWO domain organisation was forced to stop all of its grant activities. As a provider of services to the nine NWO Institutes, the NWO-I office tried to continue working as much as possible despite the crisis. The experts who were contracted immediately from renowned security companies monitored whether and, if so, where occasionally stolen data would be published. That happened on 24 February 2021 on the dark web. This concerned several internal NWO documents. An analysis revealed that the cybercriminals had stolen data, but which data is still not clear.  

Until further notice

Due to the hack of the network servers, including the mail servers, it was impossible for the domain organisation of NWO, the Taskforce for Applied Research SIA and the Netherlands Initiative for Education Research to carry out the primary processes, such as funding science. All NWO employees in the domain organisation therefore had to stop their work until further notice. The NWO-I office could no longer provide shared services to the nine NWO Institutes in the area of finances, P&O and salary administration. Links with various external applications were closed down. Work laptops remained closed, and employees did not receive the mails sent to them.

NWO-I continued its services

The operational processes of the NWO Institutes were not affected by the hack of the NWO systems. They have their own network, with its own infrastructure, mail systems and data storage, and so they continued work as usual. The NWO-I office worked hard to quickly restore the most essential services for the institutes. With a lot of hard work, colleagues from the NWO-I office managed to realise this. The Finance & Control department immediately picked up the thread and got the project New Financial System up and running again. P&O also took immediate action because the end of the month was drawing near, and salaries had to be paid. ‘The salary processor’s data from January served as a starting point, and this was combined with mutations from the P&O departments of the institutes regarding starting or leaving employment and extensions of contracts’, says Ria Wemelsfelder, head of Salary Administration at NWO-I. ‘In this way, “advances” were paid out in February. On 8 March, we managed, despite everything, to realise the final salary production for February.’ To ensure that more than 1800 employees could be informed in a better and professional manner, the NWO-I office made use of the services of a renowned company in the area of cybersecurity and security risk management. The Communication Department rapidly launched a secure website with a Q&A for employees and former employees. From that moment onwards, they could reach experts 24/7 by phone and also by email.

Impact on the institutes

The financial and personnel system of all NWO Institutes are linked to the NWO-I office and were affected by the cyberattack. That gave a lot of disquiet at the institutes. The main concern was about the possible abuse of files linked to people, which NWO-I has stored at the central personnel administration of NWO. David Groep works at Nikhef on physics data processing: large-scale data processing for research. By virtue of this position, he is also a specialist in the area of cybersecurity. Together with ICT colleagues and the other institutes, he tried to gain an overview of the possible consequences. Groep: ‘We joined forces at the institutes to reconstruct what had been sent to the NWO-I office in the past. Due to the segmentation of all independent institutes with their own systems, the consequences were relatively limited.’ At CWI, the institute next door to Nikhef on the Amsterdam Science Park, institute manager Dick Broekhuis was looking forward to a somewhat quieter time after the coronavirus. Broekhuis: ‘All of a sudden, there was this new crisis that we had to tackle in the middle of a lockdown situation. At our institute, a lot of work was also needed from the IT department to ensure the integrity of our own systems.’ Recommendations and measures that emerged from the results of all these internal investigations reached the employees of NWO-I quickly each time via the online Q&A since it was regularly updated, sometimes every hour.

And what will happen now?

NWO worked hard to bring an entirely new network online. The laptops of NWO employees have been completely reinstalled. On Wednesday, 10 March, the employees of NWO-D and the NWO-I office could once again use the network. On 22 March, the domain organisation restarted the grant process for all funding rounds and for the Taskforce for Applied Research SIA and the Netherlands Initiative for Education Research (NRO). All deadlines for grant proposals have been postponed by a month. In the coming weeks, all processes will resume just like before the hack.

What can we do to prevent another attack from cybercriminals? David Groep from Nikhef is quite clear about that: ‘The safest computer is a computer encased in concrete and thrown into the North Sea. There is always a risk. In science, we continuously consider at a strategic level how we can do research safely. In my work, such as data collection for the Large Hadron Collider at CERN, I see that we can stay one step ahead of cybercriminals by sharing information and working together. You need to be able to recognise patterns so that we can look for possible weak points in systems ourselves. In addition, it is also important that security is not too abstract. Working safely depends on everybody being alert within the organisation. Ensure that you always are informed about the latest updates, be aware of phishing, and do not use any macros. Everything stands or falls with the commitment of people and the sharing of information. The sense of urgency cannot be high enough. At Nikhef, we send a mail within an hour if we see that somebody has logged in from an unknown location. Human contact and several good processes are more important for us than policy documents.’

Text: Anita van Stel/Arian Visser


8 February – cybercriminals penetrate the NWO systems
13 February – NWO stops all activities, NWO-I office continues to work
15 February – NWO closes down all activities; NWO-I office starts restoring essential services
22 February – 700 laptops handed in at NWO offices in Utrecht and the Hague
24 February – publication of several internal NWO documents on the dark web
25 February – NWO-I office contacts a fraud specialist
4 March – online Q&A launched for current and former employees of NWO-I
8 March – 700 NWO laptops picked up from the offices in Utrecht and The Hague
10 March - the new network goes online
17 March – NWO-I People back online
22 March – restart grant process NWO-D for all rounds

About ransomware

Ransomware is a technology that encrypts data and in this way makes it inaccessible with the aim of exacting payment (or enforcing a certain action). The publication of data is increasingly used as a means of exerting pressure. Cybercriminals mostly use ransomware to penetrate companies. The costs of doing this are relatively low and the earnings high. Cybercriminals use a so-called zero-day-exploit, an attack that takes place on the same day on which a vulnerability in software is discovered. Experience teaches that companies are too late if they only take action after the zero-day-attack has taken place. The criminal organisation is a supplier in the value chain: the people who write the malware are not the same as the people who send the spam and blackmail companies.

Newsletter Inside NWO-I, April 2021

Confidental Infomation