TU Eindhoven hack highlights urgency of closing basic security gaps
The cyber attack on Eindhoven University of Technology (TU/e) in January was largely due to known vulnerabilities and human errors, a research report by Fox-IT showed. Although the exfiltration of large amounts of data and encryption was prevented by shutting down the network just in time, the week-long shutdown caused significant damage to the university, making it clear that small shortcomings can lead to major disruption.
The attack
On January 6 of this year, a threat actor connected to a VPN system hosted by TU/e on January 6. It used three different user accounts to connect, of which two succeeded. The threat actor seemed to have obtained the credentials for the three user accounts from prior credential leaks available on the dark web, the report notes. As the VPN system was not configured to require multi- factor authentication (MFA), valid usernames and passwords were sufficient for the threat actor to login successfully.
For the next five days, the intruder was able to quietly escalate privileges and map critical servers. By the evening of Saturday, January 11, the threat actor had gained access to the system account of one of the TU/e domain controllers.
The breach was finally spotted late on Saturday, 11 January when anomalous activity, picked up simultaneously by an alert TU/e admin and the SURFsoc monitoring service, showed the attacker disabling back‑ups, a pre‑ransomware hallmark.
The response
TU/e’s crisis playbook snapped into action within minutes. The university isolated affected segments, summoned Fox‑IT’s FoxCERT team and alerted the SURFcert community. At 01:00 the entire campus network was taken offline: a drastic but decisive measure that prevented both large‑scale data theft and encryption. Digital forensics later confirmed that no systems were destroyed, no ransomware payload ran, and no sizeable data sets left the premises.
Forensics later revealed that while the attacker had been active on TU Eindhoven’s systems before the breach was spotted, those actions escaped detection because they fell outside SURFsoc’s monitoring scope or imitated normal user behaviour. Investigators, with broader data access and tools, identified these earlier traces. The report concludes that the attack might have been caught sooner if SURFsoc had covered additional data sources such as network traffic and had onboarded more monitoring systems.
Lessons learned
The incident shows that rapid coordination, clear decision‑making, and transparent communication can keep a serious breach from turning into a full‑scale crisis. TU Eindhoven’s late‑night response, which included immediately involving its computer emergency response team, taking the network offline, and maintaining a steady flow of updates to staff and students, limited both technical damage and reputational fallout. This shows the importance of having a playbook that links operational incident handlers with a strategic crisis team, rehearsing the “kill‑switch” option, and treating communication as a parallel workstream rather than an afterthought.
At the same time, preventive hygiene would have raised the bar for the attacker and likely shifted detection from hours after privilege escalation to minutes after initial contact. Mandatory MFA for VPN access, tighter password‑reset rules, continuous monitoring of privileged identities and break‑glass accounts, and the onboarding of network‑level telemetry into SURFsoc would have created multiple earlier tripwires. Segmenting networks, hardening backup infrastructure, and sharing fresh threat intelligence round out a layered defence that will turn these isolated lessons into sector‑wide resilience.
