Kaiserslautern University of Applied Sciences has been affected by an attack on the IT infrastructure. For this reason, a large part of the IT infrastructure is unfortunately not available at the moment. Encryption has rendered data unusable. Not all functions are directly affected, but all computers and the network have been switched off as a precaution. The IT infrastructure is therefore severely restricted and functions such as e-mail, the homepage and, in some cases, administrative processes are paralysed.

Update 23.06.2023

The university management was informed by the State Criminal Police Office that data was downloaded during the attack on the IT infrastructure and published on the Darknet. This data is being investigated to find out what personal data is involved. For this purpose, the university is working in close cooperation with the State Criminal Police Office. If your data was leaked during the attack on the IT infrastructure of Kaiserslautern University of Applied Sciences, you will be notified by post. We will inform you via this page as soon as the letters have been sent. If you do not receive a notification within the next week, you can assume that you are not affected.

Update 04.07.2023

We will now once again analyse and verify the data, the leak of which is now known to us through the publication on the Darknet. Given the amount of data, this process will take some time. For this, we must once again ask for your patience and thank you in advance for your understanding that no individual requests can be processed in this regard. As soon as we have knowledge of the content of the data, we will again take the necessary and appropriate steps and inform you. We strongly advise you not to download the data leaked on the Darknet yourself, as they are also provided with malware. If you yourself have discovered (by whatever means) that your personal data has been leaked on the Darknet, please contact the university management. There you will receive further information on how to file a complaint. We will inform you immediately if we find out that you have been affected by the leak. We are constantly expanding the FAQ and the information at https://hs-kl-offline.de. If there are any questions that we cannot answer, we will work on solutions and add to them.

The attack was noticed on Thursday, 08.06.2023 and is believed to have taken place during the night of Wednesday, 09.06.23 to Thursday. According to current information, it cannot be ruled out that the attack did not begin at an earlier time.

After the discovery on Thursday, 08.06.2023, the university management immediately called together a task force, which began its work on site in Kaiserslautern on the holiday. As far as possible, all systems were switched off to prevent further damage. In addition, important contacts and organisations were informed about the attack. These include the State Criminal Police Office, the Ministry of Science and Health, our Data Protection Officer and the State Data Protection Commissioner. The university is also in constructive exchange with the BSI, DFNcert, VCRP, ZIT and the university computer centres in Mainz and Kaiserslautern.

The State Cybercrime Unit of the Koblenz Public Prosecutor's Office has taken over the investigation in cooperation with the Rhineland-Palatinate State Criminal Police Office. The university management is working very closely and cooperatively with the specialists from the LKA.

Immediately after the attack was discovered, the university created a website that was already online the next day (Friday, 09.06.2023), where all important information is published and updated daily.

In addition, communication with the authorities and the departments could be ensured with a video conference system. In addition, the telephone system and other systems such as Campusboard, the use of WLAN, the enrolment portal, etc. were reactivated on Friday and will be reported on in the daily status of the day. Students once again have the opportunity to communicate personally with the university via telephone. Colleagues in administration as well as in research and teaching are present at their workplaces and can be contacted personally by students.

In the meantime, general assemblies have been held at all locations to inform the members of the university about the current status and the first steps towards restoring important functionalities and to answer and collect their questions as far as possible. Within further events and via the website, the progress of the measures will be reported.

Members of the university will always be informed immediately via this page whenever there is something worth reporting. It should be noted that reliable information is only communicated via this page.

The university is in the process of systematically rebuilding the IT infrastructure. The review of the employees' workstations has begun. To this end, teams at all locations are examining the devices for possible damage. Immediately afterwards, this service will also be offered to students.

Update 23.06.2023

If your data was leaked during the attack on the IT infrastructure of Kaiserslautern University of Applied Sciences, we will notify you by post. We will inform you via this page as soon as the letters have been sent. If you do not receive a notification within the next week, you can assume that you are not affected.

Update 04.07.2023

We will now once again analyse and verify the data, the leak of which is now known to us through the publication on the Darknet. Given the amount of data, this process will take some time. For this, we must once again ask for your patience and thank you in advance for your understanding that no individual requests can be processed in this regard. As soon as we have knowledge of the content of the data, we will again take the necessary and appropriate steps and inform you. We strongly advise you not to download the data leaked on the Darknet yourself, as they are also provided with malware. If you yourself have discovered (by whatever means) that your personal data has been leaked on the Darknet, please contact the university management. There you will receive further information on how to file a complaint. We will inform you immediately if we find out that you have been affected by the leak. We are constantly expanding the FAQ and the information at hs-kl-offline.de. If there are any questions that we cannot answer, we will work on solutions and add to them.

Die Hochschulangehörigen werden immer umgehend über diese Seite informiert werden, wann immer es etwas Berichtenswertes gibt. Hierbei ist zu beachten, dass lediglich über diese Seite verlässliche Informationen kommuniziert werden. Zudem wird allen sehr ans Herz gelegt, die Informationsveranstaltungen der Hochschulleitung und Fachbereiche, die an allen Hochschulstandorten abgehalten werden, zu besuchen.

Bei Sorgen und Fragen stehen die Vorgesetzten, Professor*innen sowie Dekanate unmittelbar zur Verfügung oder leiten diese ggf. an die Mitglieder der Hochschulleitung weiter.

All IT devices that were included in the Windows domain or had access to network drives via VPN at the time of the attack are at risk of virus infection. Therefore, a large part of the IT infrastructure at Kaiserslautern University of Applied Sciences is unfortunately not available at the moment. This includes e-mails for students, the homepage, and administrative processes in some places.

Update 06/23/2023

In the meantime, some systems are running again, including:

• Campusboard: campusboard.online
• Seafile: seafile.rlp.net
• ICMS: icms.hs-kl.de
• QIS: qis.hs-kl.de
• Big Blue Button: bbb.rlp.net
• Panopto: video.hs-kl.de
• OWA- Webmail: mail.zdv.net
• Important administrative processes (procurement, payment of bills...) are running again, but still with limited capacity.
• Enrolments are possible again.
• The student administration is able to work on site and support students: Lists of participants, certificates can be created and printed out again.
• Employment contracts can be concluded.

OpenOlat, Seafile, BigBlueButton are not affected. Apple devices as well as devices with the Linux operating system are most likely not affected either.
In addition, we were able to get some systems working again last week. These include:
1. campusboard.online
2. important administrative processes (procurements, payment of invoices...) with limited capacity
3. enrollments are possible again
4. student administration is able to work on site and can support students (lists of participants, certificates can be created and printed again)
5. employment contracts can be concluded

The university management was informed by the State Criminal Police Office that data was downloaded during the attack on the IT infrastructure and published on the Darknet. This data is being investigated to find out what personal data is involved. For this purpose, the university is working in close cooperation with the State Criminal Police Office. If your data was leaked during the attack on the IT infrastructure of Kaiserslautern University of Applied Sciences, you will be notified by post. We will inform you via this page as soon as the letters have been sent. If you do not receive a notification within the next week, you can assume that you are not affected.

Update 23.06.2023
The university management has been informed by the State Criminal Police Office that data was downloaded during the attack on the IT infrastructure and is published on the Darknet. This data is being investigated to find out what personal data is involved. For this purpose, the university is working in close cooperation with the State Criminal Police Office. If your data was leaked during the attack on the IT infrastructure of Kaiserslautern University, you will be notified by mail. We will inform you via this page as soon as the letters have been sent. If you do not receive a notification within the next week, you can assume that you are not affected.

In most cases, files appear which one does not know and/or have an unusual extension. Own files are no longer found or are encrypted. If a virus scanner finds threatening files with the extension "fury.exe", the device is most likely affected. However, we cannot exclude the possibility that other virus variants also exist. In any case, carry out a virus scan and also be vigilant with regard to other viruses.

The device should be immediately removed from the network and switched off. Please do not shut down, but unplug/ remove battery or if not possible hold the ON/OFF switch for a few seconds.

So far, no virus scanner can be recommended that provides 100% reliable protection. However, the following scanners give quite reliable hits according to our knowledge:
ESET for CD or USB stick: https://www.eset.com/de/support/sysrescue/
DESINFECT (contains eset, clamav (open source solution) and others): https://www.heise.de/download/product/desinfect-71642

Sophos: https://home.sophos.com/en-us/employee

Update 06/23/2023

We are working on being able to provide guidance on this soon and, if you are unsure, we will soon be able to set up service points to examine your private devices.

Update 06/28/2023

To use the scanners, we have set up a Seafile folder for you, where we provide a free online solution for scanning as well as instructions. You can see the link to this on the notices at the respective locations as well as ask in your deaneries. Please support each other, surely there are some IT-savvy students among you who will help your fellow students with scanning. The Unix-AG also offers its support.

At the same time, we are working hard to make sure that you will soon be able to use the scanner Desinfect for free and will provide you with USB sticks via the dean's offices (as long as supplies last). We will inform you via this page as soon as the USB sticks can be handed out.

Update 07/04/2023

To use the scanners, we have set up a Seafile folder for you, in which we provide a free online solution for scanning as well as instructions. You can find the link to this in the portal at icms.hs-kl.de (login required, please collect your initial passwords!) as well as ask in your deaneries/at the International Office of Student Affairs. At the same time, free and reusable USB sticks with the virus scanner Desinfect will be available to you from now on, which you can request via the deaneries, at the International Studienkolleg and Asten (while stocks last). Please support each other in this, there are certainly some IT-savvy students among you who will give your fellow students a hand with scanning.

The virus scanner looks for malware, not for encrypted files or PDF files with threats. Since malware often deletes itself after the work is done, the virus scanner may find a clean system, even if data on the computer was compromised (possibly at a much earlier time). An indication of the time of encryption can be the file date, which is displayed in the file details. In Windows, it may help to disable "Hide known file extensions" in the file manager to better identify the encrypted files. Encrypted files are no longer usable, but they are not infectious either.

This is a new type of virus and not much is known about its distribution. Among other things, it spreads via the network in a kind of "Domino structure". If cloud services were also integrated on an affected computer (such as a Dropbox), the virus may also have been passed on there. However, we cannot rule out any other method of spreading at this point.

The risk of infection is low, but cannot be completely ruled out. The OLAT & Seafile servers are not located at the university. All folders have been checked for viruses by the operators and are therefore safe.

Yes, USB sticks or hard drives can also be infected with the virus.

We publish contact persons on this page, but you can also contact your Dekanat office, the IT officers in the departments, and the employees of the computer center.

As soon as new access data is ready for collection, we will inform you about the further procedure.

Update 28.06.2023
Employees and students can use the internal services again. However, this is only possible after changing the initial password. Please refer to our notices dated 13.06.2023 (for employees) and 25.06.2023 (for students) under Home page. Please also inform yourself regularly about the latest developments via this page

This question is difficult to answer comprehensively, because there are several ways. One way is to restore the data by performing a back-up beforehand. If you have further questions in this regard, please contact a contact person in your Dekanat office, the EDV officers or the computer center.

The State Office of Criminal Investigation is currently determining which data is affected by the data leak and the sale on the Darknet. If a specific case becomes known, those affected will be informed individually by post or (if already set up) by email. In addition to current and former students and employees, the data theft may also affect third parties who will also be informed. If you do not receive a notification within the next few weeks, you can assume that you are not affected. We will also communicate here when the notification is completed so that there is clarity for you here.

Update 06/24/2023
The letters to those affected by the attack on the IT infrastructure of Kaiserslautern University of Applied Sciences, whose data was leaked and published on the darknet, were sent today by registered mail. If you do not receive a notification within the next week, you can assume that you are not affected. We will also find out next week from the State Criminal Police Office whether any other data packages have been published on the Darknet. We will inform you about this here on this page.

Update 27.06.2023
We have been informed by the LKA that the auction for our stolen data on the Darknet is closed. One and/or more buyers of a part of the data have been found and the perpetrators seem to have handed over the data. The part of the data that was not sold has now been published on the darknet for download. We will now re-analyze and verify the data whose leak is now known to us through the publication on the darknet. This process will take some time given the amount of data. For this we must again ask for your patience and thank you in advance for your understanding that no individual requests can be processed in this regard. As soon as we have knowledge about the content of the data, we will again take the necessary and appropriate steps and inform you.

If it is determined by the State Criminal Police Office that your personal data has been affected, you will receive, in addition to the general notification, a description of how you can file a complaint (against "unknown" - i.e. against the hacker group). This is very important in relation to the possibility of (future) identity theft and can only be done by you personally. A class action by the university is not possible in this case. Main proceedings to the detriment of Kaiserslautern University of Applied Sciences have been opened at the General Public Prosecutor's Office in Koblenz in cooperation with the State Criminal Police Office of Rhineland-Palatinate. Upon receipt of the letter, you will be informed of the current case number at the police and the file number at the General Public Prosecutor's Office, to which you should refer.

The university stores the data you provide when you enrol. This includes your personal data such as your full name and address. The Internationales Studierendenkolleg also has copies of your ID card on file. Bank details may also be stored, as they are provided by staff in the context of business travel expenses and by students who receive a scholarship.
If your data is published or sold, we will inform you by post with the further procedure. For this purpose, we ask you, if you can no longer be reached at your current postal address in the next few months, to leave your updated address with the Student Secretariat.

We strongly advise against researching, opening or downloading files on the Darknet yourself. The files published on the Darknet may contain hidden malware or malicious programs that may not be detected by common virus scanners.

If you are unsure, in accordance with the recommendation of the German Federal Office for Information Security (BSI), you can also use the following internet portals to find out whether personal access data has been published in known leaks using your email address:
- HPI Identity Leak Checker (German): https://sec.hpi.de/ilc/
- haveibeenpwned.com (English): https://haveibeenpwned.com/

Dear students, as you are currently not able to use a university e-mail address, you would have to log in with a private e-mail address. If you receive an alert from one of these portals, it means that this email address has been published in one or more data leaks. A hit here does not necessarily mean that the data leak is connected to the incident at Kaiserslautern University. You are probably now asking yourself what you can do personally to protect yourself in the future.

• Change the passwords for your online services.
• Check whether settings in your online accounts have been changed. Critical would be, for example, automatic forwarding of messages to what you consider to be foreign e-mail addresses or added fallback options such as telephone numbers for resetting passwords. Correct these settings.
• If your IBAN could be affected, check the payment flows of your bank accounts. Third parties have only limited possibilities to use a foreign IBAN (e.g. debit money by direct debit). In this case, you can have the money reversed within 13 months.
• If you have activated the online function of your identity card, you can have it deactivated by the relevant residents' registration office - as a security measure.
• See also the information from the Federal Office for Information Security (BSI) "Identity theft - help for those affected".

No, a preventive report is not necessary, as the crime (decryption and sale/publication of data) has not yet been committed. You will only be informed with our previous file number if your data is published.

It cannot be ruled out that bank data has also been leaked. It is always advisable to keep an eye on your account transactions. It is also advisable to change passwords that have been used privately as well as in the student network.

The hacker group currently also engages in "social engineering" - i.e. members of the university are contacted via social media, for example, with the aim of obtaining further confidential information or exerting pressure. Every social engineering attack begins with extensive research work on the Internet, especially via social media channels such as LinkedIn, Facebook and Twitter. Preferably, information on profile, hobbies, future plans or work projects is collected. Social engineers can be very friendly and sociable. By pretending to know something about the company, they contact the appropriate people until they reveal the information they are looking for. If you are affected by this, we ask that you NEVER act on it and report the cases directly to the university management. The LKA will investigate the matter.

Currently, we assume that the email inboxes are also affected.

Only if they know the password that protects the private keys. If you have to enter a password when signing or reading encrypted mails, then it is well protected. Mails that are encrypted with the user certificate (of the recipient) are also stored encrypted on the server and also after the download, and thus are not affected by the leak. If you are unsure, you can also request a new certificate via https://cert-manager.com/customer/DFN/idp/clientgeant. This is now easier than before, since you can authorize yourself via Shibboleth and no longer have to show your ID.

• Change passwords (business and personal).
• Check account transactions regularly.
• Keep the antivirus program on the private PC and updates of the operating system up to date. Activate the firewall there as well.
• Be alert if

- Your bank reports suspicious credit card payments.
- your contacts notice that spam is being sent from your address.
- Logins do not work, although the data is correct.
- Devices such as your PC, laptop or cell phone have a greatly increased battery consumption.

Further information is available from the consumer advice center at
https://www.verbraucherzentrale.de/wissen/digitale-welt/apps-und-software/schadprogramme-welche-es-gibt-was-sie-anrichten-wie-sie-sich-schuetzen-68892
can be found.

The University of Applied Sciences would also like to point out that if you notice any irregularities in connection with your data, please contact the police station responsible for you immediately or report the matter via the online watchdog (https://www.polizei.rlp.de/de/onlinewache/).
General information on the possible consequences of identity theft and relevant tips on how to behave can be found at:

• cyber security mdi.rlp.de
• BSI - Advanced search (bund.de)
• BSI - Methods of cybercrime (bund.de)
• BSI - Digital consumer protection - safe use of information technology (bund.de)
• https://www.sicher-im-netz.de/dsin-f%C3%BCr-verbraucher
• https://www.polizei-beratung.de/themen-und-tipps/gefahren-im-internet/
• https://kriminalpraevention.rlp.de/de/unsere-themen/cybersicherheit/
• https://sec.hpi.uni-potsdam.de/ilc/

In this case, we would like to recommend in detail that you report the incident with regard to the "theft" of your personal data. You can also do this online at https://www.polizei.rlp.de/onlinewache. Upon request to the university management, you will receive further information on how to file a complaint.