Two AU researchers were linked to suspected attacks on critical IT systems

At the beginning of August, all staff at the Department of Molecular Biology and Genetics received an email containing three surveillance photos showing two people in a corridor in AU IT. Staff were asked to report back if they recognised the people in the photos. At AU IT, staff had grown concerned that the two individuals might be planning an attack on sensitive data. The matter had been reported to the police, according to the email.

A few minutes after the email was sent, a reply popped up – also sent to everyone – from a lecturer at the Department of Molecular Biology and Genetics. He stated that it was him and his colleague in the surveillance footage and that they had entered the IT department to find a specific cable for some equipment. The department is located in the same building as AU IT. He informed that they had spoken to a staff member there. The associate professor was now wondering why it was suspicious that they were there and why no one had asked around before reporting it to the police, as he wrote in his email. 

Granted access by mistake

Several staff members at the department have expressed the same concerns, according to emails seen by Omnibus. How did two AU researchers end up briefly linked to a suspected IT attack after surveillance photos of them were circulated in a department-wide email warning of a possible threat to sensitive data at AU IT?

The answers can be found with the deputy director of AU IT, Peter Bruun Nielsen. He explains what happened in the situation and why things turned out the way they did. 

The two researchers aroused suspicion because it is in itself suspicious when two outsiders are unaccompanied inside AU IT, Peter Bruun Nielsen explains. Especially on the second floor, where the critical IT systems are located. He says that AU IT has never experienced an incident like this before. 

The two researchers were mistakenly granted access to the otherwise locked second floor. They had called the door phone and got through to IT support on the first floor. When the IT employee, who was also answering the support phone, saw that there happened to be two people standing in front of the door on the first floor, he mistakenly thought that they were the ones who had rung the doorbell and therefore opened the door. Instead, this opened the door on the second floor, where the two researchers had actually rung the bell. The two researchers walked around on their own through the otherwise empty corridors during the summer period until they passed an office where a staff member was working. The employee explained that they were not allowed in the department as it was off-limits to outsiders, and offered to show them out. Although the staff member did not ask them to identify themselves at the time, he later grew suspicious about who they were and why they had entered the department. 

A more extensive investigation was then launched to determine who they were. For data protection reasons, AU IT is not permitted to access the video surveillance system, but a trusted staff member at AU Estates Projects and Development is authorised to do so. The surveillance footage shows the two researchers out of view for a minute and a half while they are near the room where critical systems are being operated This again aroused suspicion. The matter was reported to the police because AU requires police permission if others are to view the surveillance footage, deputy director Peter Bruun Nielsen explains. When a staff member at the department viewed the surveillance footage later and was unable to recognise the two researchers, Peter Bruun Nielsen decided that a broader search was necessary. At this point, two days had passed since the suspicion arose. The information security manager was involved, and the university director had also been informed about the matter. 

"We made every effort to identify the two individuals before it was decided to circulate the images. Most members of the department’s management team were on holiday, so we could not expect a quick response from the managers. "I felt it was necessary to share the photos with everyone in the department to get a swift clarification," Peter Bruun Nielsen says, and elaborates:

"I completely understand that it might seem drastic, but we needed to find out who they were. In hindsight, painfully clear as it is, I could certainly have wished it hadn’t been necessary. But I cannot rule out that we may find ourselves in a similar situation again. This is a serious matter, and we take security very seriously," Peter Bruun Nielsen says. 

International background 

The incident at AU comes at a time when there is increased focus on security at universities and the threat posed by espionage, for example. Since November last year, Russia, Iran and China have been designated by the Danish Security and Intelligence Service as risk countries, and a number of guidelines have been introduced at AU in this connection. The threat prompted the Danish Security and Intelligence Service to launch a new campaign at Danish universities to make researchers and staff aware of the espionage risk on campuses across the country. Many of the campaign posters are still hanging in the university's corridors and on doors, with slogans such as: "Your research can make a difference. Even in the wrong hands." The campaign was met with criticism from several university staff members, and at the University of Copenhagen, 181 people called the campaign "explicitly racist." 

The two researchers who appeared in the surveillance images that were circulated both have international backgrounds. The fact that international researchers have been linked to suspected IT attacks has sparked criticism among employees at the Department of Molecular Biology and Genetics. In emails sent to everyone at the department, it has been called racist and xenophobic, among other things. 

Peter Bruun Nielsen rejects this notion. 

"I can categorically deny that. I don't want to belittle people's feelings in any way, but I will say categorically that we would have acted in exactly the same way, regardless of who was on the surveillance footage," he says.

Peter Bruun Nielsen points out that neither the background nor the nationality of the two researchers was known before their identities were established. Anyone who is unaccompanied will arouse suspicion if they are in that specific area of AU IT.

"It is a security breach, and it was treated as a security breach. Regardless of how people look and what language they speak, we need to stay alert. "I truly value the university as an open space, and I understand that openness is crucial for research to flourish, yet we need to stay alert because we handle highly sensitive matters," the deputy director says. 

"They have naturally faced a strong response to the incident"

Peter Bruun Nielsen has sent an email to the department's staff explaining why the situation was handled as it was. The deputy director has also met with the two researchers, who were affected by being subjected to suspicion. 

While the associate professor has been at Aarhus University for a number of years, he has been based elsewhere at the university, which is why the employee at the department who saw the surveillance footage did not recognise the researcher. The other researcher has just joined the university. 

The associate professor, who does not wish to be named in the article, writes in an email to Omnibus:

"It was an unfortunate but avoidable mistake. I am optimistic that management will take the necessary steps to ensure that sensitive issues such as this are handled more discreetly in future," says the associate professor, who does not wish to comment further on the matter.

Head of the Department of Molecular Biology and Genetics Claus Oxvig expresses regret that the incident resulted in surveillance photos being shared with all staff, he explains.

“At the same time, it is important to remember that no one reacted with the intention of hurting others. Many have spoken with those directly and indirectly affected – both to express regret and apologise for the incident and to establish an understanding of what happened. The two staff members who were directly affected have naturally faced a strong reaction to the incident, and several people have subsequently expressed their sympathy in writing. The incident has shown that we care about each other – that's an important and positive view on the matter amid all the sadness," Claus Oxvig says. 

Like the deputy director, he rejects the notion that the incident had anything to do with the researchers' background. 

Procedures must be tightened up

Even though it turned out to be two AU researchers who were just looking for a cable, it could potentially have been people from outside the university with malicious intentions who had gained access to the department. Deputy director Peter Bruun Nielsen acknowledges that a number of mistakes were made in handling the incident, which has now prompted AU IT to take a closer look at its procedures, he says. The department must determine how to prevent individuals from entering unaccompanied again. 

"This incident highlights the need for us to tighten our procedures. As management, we need to stress that staff should ask outsiders to identify themselves, and in the future we must ensure that outsiders cannot accidentally be granted access to the second floor. In addition, we need to check whether our signage is clear enough. Outsiders must be absolutely clear that they cannot enter unaccompanied," says Peter Bruun Nielsen, who has asked the information security manager to suggest measures to tighten procedures.

"The staff member should have asked them to identify themselves, and this is something we need to work on. That did not happen, and we as management have not been clear enough about that, and we need to be," the deputy director says. 

In addition, the follow-up process that takes place once a suspicion arises will need to be thoroughly reviewed. 

"We also need to formalise this better. For example, what circumstances would prompt us to request surveillance footage. "We’re not clear on that," Peter Bruun Nielsen says. 

He emphasises that the department has not experienced similar incidents before, and that it is only now that these shortcomings have been noticed. 

The deputy director also acknowledges that it may be necessary to make university staff aware of the procedures. For example, that a police report must be filed before access to surveillance images can be granted. 

The incident has also given food for thought at the Department of Molecular Biology and Genetics. 

"We will certainly review and discuss the risks of espionage, along with the so-called URIS guidelines, to ensure they do not have a negative impact on our work environment. We all want a world without these, but we also have to deal with reality," department head Claus Oxvig says, and continues:

The department has staff from many different cultures. It is enriching, and we all greatly appreciate it. However, this incident and its aftermath also demonstrate that we must always be mindful of how we communicate and interact with each other. There is definitely something here that our entire department can work on,” Claus Oxvig says. 

This text is machine translated and post-edited by Cecillia Jensen