OZON2021 cyber crisis exercise: knowledge sharing went well, national crisis coordination needs attention
The evaluation of OZON 2021 shows that in comparison with previous editions, the participants shared information more quickly and more through existing channels. In addition, the institutions, together with the education umbrella organisations, also initiated joint coordination of the crisis. Nationwide coordination of the crisis did not occur.
Extra special edition because of corona
On 18 March 2021, the third sector-wide cyber crisis exercise for education and research took place. Because of corona, this was an extra special edition: many participants took part in the exercise from home. The participants rated the exercise with an 8.
Exercises lead to better crisis management
Institutions that have previously participated in OZON have seen improvements in their internal crisis management compared to previous exercises. More institutions have also drawn up official crisis procedures for a cyber crisis. However, relevant staff members were not always familiar with these procedures.
Crisis analysis most challenging: impact differs from institution to institution
Analysing the crisis proved to be the biggest challenge because of the enormous amount of information and because the impact of the crisis varied from one institution to another. As a result, participants found it difficult to ascertain what exactly was going on within their own institution and to compare it with the impact at sector level.
A number of recommendations from the report:
In order to properly coordinate a major crisis at the national level, it is necessary to make the responsibilities of the umbrella organisations, the Ministry of Education, Culture and Science and SURF more explicit.
Good image forming, judgment and decision-making (the PDO procedure) is a major challenge in any crisis. This applies to an even greater extent in a cyber crisis, because for a long time it may be invisible and elusive what exactly is going on. So sufficient knowledge within the central crisis management team and at operational level is required to interpret the situation. SURF will organise joint sessions and training courses on these subjects.
Many institutions have now incorporated cybercrises into their central crisis management procedures. However, there is still a great need for sharing material to improve these procedures and tools.
Large-scale exercises, such as OZON, help to raise awareness and to live through the entire crisis process. But it is also important to keep doing smaller exercises in between.
The next edition of OZON will take place in spring 2023.
Report of the day: who will stop the hackers from Guilder?
From one moment to the next, students can no longer log in anywhere. Networks of educational and research institutions are down. And confidential student data is being offered for sale on the Internet. What is going on here? Cybercrisis exercise OZON 2021 has started! Read the report of this exercise day.
1,000 participants practice a cyber crisis
Thursday morning, 18 March, 9 a.m. sharp. The countdown is on and then the starting e-mail goes out to all participants of OZON2021. This marks the start of the largest cyber crisis exercise in Dutch education and research. 1,000 participants from a total of 65 institutions are getting ready for an instructive day full of tension and stress, in which they will have to deal with a major, as yet unknown cyber crisis. The main objective is for institutions to find out how they respond to such a crisis, whether they are properly prepared and how cooperation within the sector works. And then learn from them.
The starting signal causes little commotion in the war room at SURF, in contrast to the previous editions, in 2016 and 2018. Because of corona, only SURF employees are present at the SURF office; the participants (1,000 people in total) are at home or at their institutions. Charlie van Genuchten, OZON project leader: "For us as an organisation, it's completely different from other years: we're here now with 20 people, normally about 70 representatives of institutions are also present here and it's really a frenzy. Now it's a bit quiet.
9.30 am - The online commotion is no less. A central part of the exercise is the media simulator. Fake tweets and news items related to the exercise start appearing. Students and staff members from various institutions tweet that their email is not working, or that they cannot log in to the electronic learning environment. What is going on?
Charlie van Genuchten: "We have put together a nice scenario for the participants. A fictitious state actor, Guilder, is going to attack Dutch education and research today". What exactly is going on?
Guilder takes revenge on Dutch education and research
Guilder is a small country on the edge of Europe. It is tightly controlled by a dictatorial regime, but is angling for EU membership. The country is home to two major IT players: Topaz366, a large cloud service provider and Elderberry, one of the world's largest network hardware manufacturers. Dutch educational and research institutions use these services and products from Guilder en masse.
For a number of years, relations between the Netherlands and Guilder have been strained for political reasons. The high point was the research report by the University of Harderwijk about alleged human rights violations in Guilder. Guilder's regime is not happy with this and seeks revenge: on 18 March, three days after the report was published, it wants to paralyse Dutch education and research, starting with Harderwijk University. But of course, the participants do not know that yet this morning.
This morning, however, a confidential memo from the AIVD was sent to administrators of institutions because of the tense situation with Guilder. The memo contains the advice to view all hardware and cloud services originating from Guilder as threats, and to take them out of service as quickly as possible. At the administrative level, the alarm bells have therefore gone off at the institutions.
University of Harderwijk hacked
10.00 - Students continue to report login problems via social media, helpdesks respond that they are investigating the problems. On the mailing list of SCIRT, the community of security specialists at educational institutions, people are asking each other and SURF for help: do others have the same issues? Does SURF already know more about the cause of the problems?
Not only has the University of Harderwijk been hacked, but other institutions have also been affected. Malware is spread via the cloud applications and infected firmware is installed on routers from Guilder. Via both routes, hackers can gain access to the institutions' networks, with the aim of destroying systems. These hackers, a collective that calls itself Hidden Dragon, are directly linked to Guilder's regime. But that information is not there for the taking, the participants have to find out for themselves.
10.30 am - Simon Kort, member of the OZON technical team is satisfied: "It's going well. Participants want to share information with each other, but don't know exactly which channels to use. And they are diligently searching for the truth. There is correct information going around, but also incorrect information. What is true? Is it true, for example, that Guilder's regime is behind all these attacks, as suggested in the press? They are busy." Technically, things are also going well: "We now see that institutions want to block the IP range of the country Guilder, because that is where the hack seems to come from. But the hackers aren't there, so that won't work!"
Journalists make things difficult for spokespersons
11.00 - The 'journalists', in reality employees of SURF, have now set to work. They have been 'hired' to call spokespeople at institutions to ask for clarification of the situation. Do you also have software from Guilder? How big is the impact? Can students still take exams? And these journalists bite, they don't just let go at the first rebuff. William van Santen plays one of the journalists: "Of course, we get different responses. One spokesperson answers my questions directly, another is more defensive. The trick is to keep asking until you have the information you want. For us it is not only fun but also educational. His colleague Alexander Wisse adds: "As an NOS journalist, I was given a professional answer just now but did not get any answers; the spokesperson I had on the line would call back. I wonder if she will actually do that.
2.00 pm - There is still great distress among students and employees of educational and research institutions. They can no longer log in to online work environments, but it also appears that user names and passwords are being offered on the internet, and people are being paid salaries by institutions where they do not work at all.
3.00 pm - The confidential memo from the AIVD to the administrators is leaked to the press, and questions are put to the Minister of Education, Culture and Science: among other things, people ask why institutions still use products from Guilder, while this dependence has been seen as worrying for years. So the participants at the strategic level are also put to work. Charlie van Genuchten: "One of the things we want to test with these questions in Parliament is whether the Ministry of Education, Culture and Science and the educational umbrella organisations and institutions know how to find each other. And that appears to be the case: a joint statement appeared on the media simulator at 1.30 p.m.".
3.15 pm - Paul Melis, also one of the 'journalists', notices that the press officers are getting better at their roles. "This morning, most of them were surprised when we called, and reacted uncomfortably. But this afternoon, they are calmer, and respond a lot more confidently to my calls. It's nice to see such a development."
3.30 pm - Jeffeny Hoogervorst, a member of the OZON technical team, explains that the participants are getting the crisis under control technically. "Almost all of them have discovered the malware that has been spread and are investigating it. They are also examining their routers, as these are also from Guilder. And they are working with the indicators of compromise (IoCs) shared by SURFcert, SURF's computer emergency response team (CERT). So the participants are well under way! Indicators of compromise? Those are IP addresses, files or other characteristics that may indicate that a system is infected."
Interesting and informative
5.00 pm - The exercise has come to a close. All players have worked very hard and it is time for a well-deserved snack and a drink. Charlie van Genuchten already has some initial observations. "We have received positive reactions from the participating institutions. A lot happened on the media simulator, it was technically sound, and all the participants and SURF colleagues worked enthusiastically. Of course, we'll be evaluating the day in detail to determine the lessons learned, but I can already say that it was another interesting and instructive exercise. On to OZON 2023!"