We need your help now

Support from readers like you keeps The Journal open.

You are visiting us because we have something you value. Independent, unbiased news that tells the truth. Advertising revenue goes some way to support our mission, but this year it has not been enough.

If you've seen value in our reporting, please contribute what you can, so we can continue to produce accurate and meaningful journalism. For everyone who needs it.


Warnings were issued over a log-in system used by Cork university in weeks before cyber attack

MTU has not confirmed the cause of the attack.

GLOBAL WARNINGS ABOUT a weakness in a virtual computer system used by Munster Technological University were issued just weeks before it was targeted by a Russian hacker group.

ESXi VMWare, a virtual desktop programme, offers a way for people working on individual computers and laptops to log in through an online cloud – as if they were on campus. 

Although no link between the hack and the warnings has been confirmed, alarms were raised globally on 31 January and 6 February after hackers had found a way into the system. 

The Irish National Cyber Security Centre issued its specific warning last Tuesday, 7 February. 

It said, “Attackers are exploiting ESXi servers worldwide to deploy ransomware.”

It warned that after gaining initial entry, hackers may then have the ability to “remotely execute code on the exploited systems” and “carry out data theft, operational disruption, ransomware and denial of service”.

A spokesperson for Munster Technological University said: “MTU has not confirmed or commented on the root cause of the ransomware attack on it at this time or whether it is linked to any ESXi vulnerability.”

Sources have said that while ESXi VMWare has been attacked in recent weeks, a fix had been applied to the MTU systems following a previous warning two years ago.

The current VMWare warning is focused on end users who did not apply a patch which solved a vulnerability. 


Brian Honan, a former cyber security advisor to Europol and current CEO of BH Consulting said that ESXi could have been an issue for MTU but that it is difficult to be definitive at this stage of the investigation. Speaking to The Journal, he said the simplest explanation for breaches is often the correct one – an inadvertent downloading of data. 

“The ways these ransomware gangs break into organisations is either via email, so using phishing, using links in the email or attachments in an email to compromise the organisation, or by compromising their remote access gateways.

“ESXi had a vulnerability and it has been heavily exploited by different gangs. There’s been lots of exploitations over the past few years, and lots of warnings have gone out.

While ESXi is another remote access platform which allows people to access your systems remotely but it is difficult to say either way. 

The group suspected of the MTU breach are Russian hackers known as BlackCat. The Federal Bureau of Investigation in the United States issued a warning about the group last April. 

It is understood that both gardaí and the NCSC have been looking at data uploaded onto the Darkweb linked to this group. 

MTU confirmed that data from its systems has appeared on the so-called Darkweb and investigations are ongoing as to what the data contains. 

In a statement on Tuesday, it said: “Munster Technological University is aware of some media reports speculating about the types of data released on the dark web following the ransomware attack on MTU last week.

“Our forensic experts are continuing to investigate the incident but the initial assessments (which are ongoing) indicate that the vast majority of personal data compromised relates to current and some former staff members, rather than students.

“The extent to which any Kerry/IT Tralee related data was contained on the compromised Cork system is part of the ongoing investigation, but an initial assessment suggests the vast majority of the data on the Cork system is not related to Kerry/IT Tralee.”

The MTU spokesperson said that updates “will be provided directly to affected individuals where necessary in line with our data protection obligations as soon as practicable”.

The university has also offered advice around the prevention of fraud on its website

For Honan the important next step for MTU is to continue being transparent about the attack and inform the public about the cause of the incident. 

“A lot was learned from the PriceWaterhouseCooper report into the HSE ransomware incident.

Hopefully MTU will publish or share the findings of their reports with others and organisations can learn and improve the security.

“One thing we need to remember is that this should not be about blaming the victim in this – at the end of the day MTU were victims of this crime. 

“Victim shaming forgets that what we want to do is encourage people to share their experiences, so that we can all learn and be better at securing what we’ve learned from other people,” he said. 

Your Voice
Readers Comments
This is YOUR comments community. Stay civil, stay constructive, stay on topic. Please familiarise yourself with our comments policy here before taking part.
Leave a Comment
    Submit a report
    Please help us understand how this comment violates our community guidelines.
    Thank you for the feedback
    Your feedback has been sent to our team for review.

    Leave a commentcancel