The University of Cambridge is constantly ranked among the world’s top universities, with its medical school and vast research facilities among the very best. But for the past month, staff at the prestigious medical school have had work hampered following “malicious activity” on its computer network.
An emailed “staff notice” seen by WIRED, believed to have been sent at the end of February, alerted staff to the disruption and said the university was working to get systems back online as soon as possible. However, weeks later, the incident is still ongoing, and little information has been made public about the nature of the incident.
“IT services provided by the Clinical School Computing Service (CSCS) have been disrupted by malicious activity,” the email reviewed by WIRED says. “We appreciate that some staff and students are experiencing significant disruption to their work and studies, and we are grateful for their patience and understanding.”
The University has verified with WIRED that its systems have been affected, some services have deliberately been shutdown, and although it claims to have “contained” the incident, the interference is continuous and it may take some time to finish the investigations. None of the data has been stolen, the university asserts. The national cybersecurity agency and the country’s data regulation body of the UK are also examining the situation.
An email sent to staff last month stated that a “Critical Incident Management Team” had been formed to manage the response. According to the email, at the time it was sent, there was no access to the local IT network and Wi-Fi, and the wired internet had been disconnected in the affected buildings, with the Wi-Fi scheduled to be restored that same day.
The CSCS provides IT support to the staff and researchers of the university’s School of Clinical Medicine. An archived version of its website says that there are over 5,800 devices on its network, and the team offers computers and servers to the staff. The email viewed by WIRED indicates that the CSCS also serves the Department of Zoology, Sainsbury Laboratory, which focuses on plant studies; the Stem Cell Institute; and the Milner Institute of the School of Biological Sciences, which investigates developing therapies. The incident has affected them all.
A University of Cambridge spokesperson confirmed the incident to WIRED, revealing that “malicious activity” was detected on the Clinical School Computing Service last month. “We reacted immediately to contain the incident including voluntarily shutting down some systems,” the spokesperson announced in a statement. “Therefore, some services are still experiencing interruptions.”
It is not clear what the “malicious activity” entails or whether the activity is an attack by criminal hackers or an incident of a different nature. Multiple staff members at university departments did not respond to questions sent by WIRED about whether their work or research had been disrupted, or they directed questions to the press office as they are not authorized to speak about the incident.
The university spokesperson did not describe the nature of the problem; however, they said a business continuity plan has been implemented to minimize disruption, and all of the other university and college IT systems are working as normal and are not impacted. “This will likely take some time to complete,” the spokesperson said of its ongoing investigation. “Investigations have found no evidence that data has been taken or transferred without authorization. We have also received third-party assurance that the incident is contained.” They say the situation has moved on since the email seen by WIRED was sent, and it is not possible to characterize the level of disruption across all departments.
Written by: Aarian Marshall
Co-Author: Stephen Ornes
Chris Baraniuk
Peter Guest
While little is known about the current “malicious activity,” the University of Cambridge was among a number of academic institutions, including the University of Manchester, hit by a distributed denial-of-service attack on February 19. Hacktivist group Anonymous Sudan claimed responsibility for the DDoS incident—it is unclear whether the ongoing outage is linked in any way. The day after the DDoS, the Clinical School Computing Service posted on X that the disruption to the network appeared to be “largely over,” and a university spokesperson said that normal service “should now be restored” for centrally managed IT services.
The UK’s data regulator, the Information Commissioner’s Office, tells WIRED that the University of Cambridge had made it aware of an incident and that the regulator is “making enquiries.” Meanwhile, a spokesperson for the UK’s National Cybersecurity Center says it is “working with the University of Cambridge to fully understand the impact of an incident.”
The university’s status page for IT issues lists the vast majority of services as being online, with replacements taking place for some routers on its wireless networks. However, at the time of writing, the website for the medical school displays only basic contact information, and the CSCS website appears to be offline and inaccessible. A newsletter from the Stem Cell Institute, sent on February 27, acknowledged there had been “some IT issues on campus” and that it was postponing a seminar as a result. More recent newsletters from the Institute do not reference the issues.
The email sent to staff and seen by WIRED recommended people follow best security practices, including using multifactor authentication for accounts and using strong passwords, and advised that people change their passwords immediately if they receive a notice saying someone else has logged in to their account from another device.