Ransomware Attack on Cambridge University Press & Assessment by INC Ransom

Overview of Cambridge University Press & Assessment

Cambridge University Press & Assessment (CUPA) is a globally recognized institution affiliated with the University of Cambridge. It aims to advance learning, knowledge, and research worldwide. CUPA is a merger of two historically significant entities: Cambridge University Press and Cambridge Assessment.

Established in 1534, Cambridge University Press is the world's oldest publishing house and one of the largest academic publishers, producing a wide range of academic and educational materials, including books, journals, and digital resources. Cambridge Assessment is a leading international exams group that designs and delivers assessments to over eight million learners in more than 170 countries.

In the 2022-23 fiscal year, CUPA achieved £1 billion in revenue for the first time and reached 100 million learners worldwide. The organization employs over 3,000 people and has a global presence with offices in the UK, US, Argentina, and Australia.

Details of the Ransomware Attack

On June 27, 2023, CUPA was targeted by the INC Ransomware group, leading to significant technical disruptions in their publishing operations. The attack resulted in a temporary loss of email access for some employees, although efforts are underway to restore it. The ransomware group published stolen documents, including supplier invoices and service contracts, as proof of their breach on June 24.

This attack is part of a series of cyber incidents affecting Cambridge University this year, with previous targets including the Medical School, University Library, and University servers. CUPA has taken some systems offline and engaged external IT and forensic experts to investigate. Despite the disruption, most customer-facing platforms remain operational, and the current exam series is unaffected. The investigation, involving external experts and the UK's National Cyber Security Centre, is ongoing.

Profile of INC Ransom

INC Ransom is a highly sophisticated cybercriminal group known for its targeted ransomware attacks on corporate and organizational networks. The group employs advanced techniques like spear-phishing campaigns, exploiting vulnerabilities such as CVE-2023-3519 in Citrix NetScaler, and using both Commercial Off-The-Shelf (COTS) software and legitimate system tools for reconnaissance and lateral movement within a network.

Potential Vulnerabilities and Penetration Methods

Cambridge University Press & Assessment, like many large organizations, faces several vulnerabilities that could be exploited by threat actors such as INC Ransom. The group's sophisticated techniques, including spear-phishing and exploiting known vulnerabilities, make it challenging for even well-secured organizations to defend against their attacks. The temporary loss of email access for some employees suggests that the initial penetration could have been through a phishing campaign targeting staff members.