The first warning came on the night of Friday, March 28, via a cybersecurity software application: a hacker attack was underway against the network of computers and servers at the Nuclear and Energy Research Institute (IPEN) in São Paulo. The IT team was deployed and had to cut off all IPEN communications to contain its spread to other devices at the institute: access to the internet, telephone, and the internal network itself, interrupting the data flow in its computers. The institute consequently suspended all its activities in both research and the production of radiopharmaceuticals, essential for treating cancer patients, for ten days. The aftermath goes on. “It’s going to take us three months to assess everything potentially affected and return to full activity,” says Pedro Maffia, institutional management director at the National Nuclear Energy Commission (CNEN), of which IPEN is a member.
It has not yet been possible to estimate the full extent of the damage caused by the incident, but R$2.5 million in input sales has certainly been lost. The attack was conducted using ransomware, which employs malicious software to control and block the institution’s computer files using cryptography and demands payment to reestablish access. “They left a message with a ransom demand to be paid in bitcoin. At no time did we consider negotiating with these criminals,” he adds. Researchers able to work remotely continued with their tasks, partially and with reduced output. “All activities depending on systems connected to the IPEN network were affected,” says Niklaus Wetter, the Institute’s Research & Development lead.
Attempted attacks such as the IPEN case are common at educational and research institutions in Brazil. The Ipê academic network, which connects around 1,800 Brazilian research, innovation, and higher education institutions covering four million users, deals with some 20,000 attempted attacks per month. Most are automatically blocked by the Brazilian National Education and Research Network (RNP), a social organization linked to and managed by the Brazilian Ministry of Science, Technology, and Innovation (MCTI). Some of the more elaborate attacks require direct intervention by cybersecurity staff.
“Educational and research institutions have been expanding their offer of digital services, and this naturally opens them up to more attacks,” explains João Eduardo Ferreira, a researcher at the University of São Paulo’s Institute of Mathematics and Statistics (IME-USP), and IT superintendent at the university. He says that USP continually suffers and monitors attempted cyberattacks, the profile of which has shifted over the last two years. “What we have seen is that hackers no longer need equipment to attack, as many rent devices with enhanced computing capacity on the deep web. Another change we have seen is that we are not always dealing with one individual, but groups organizing themselves across different locations; their level of technical knowledge is also increasingly sophisticated.” USP has invested in several strategies to deal with attacks, from building and refining connectivity barriers (firewalls) to sensitive data encryption and the adoption of four-layer software architecture, enabling the development of new functions and troubleshooting without affecting other parts of the system. The COVID-19 pandemic also saw other flanks opening up, with hundreds of employees working from home and logging in remotely.
It is common for criminals to attempt to install malicious software in devices at research institutions to mine for cryptocurrencies, a process requiring the use of powerful computer systems to solve mathematical problems and receive digital currencies as a reward. “Research centers and universities are targeted because they usually have computers with considerable processing power. They can also store valuable information, such as patent secrets,” says Dennis Campos, IT manager at the National Center for Research in Energy and Materials (CNPEM) in Campinas, São Paulo State.
This center experienced such a case some years ago: their monitoring system detected abnormally high memory consumption, and cryptocurrency mining software was discovered in their devices. The institution boosted its information security team after suffering another cyberattack over a weekend in February 2022 using ransomware, as in the case at IPEN. “The criminals had managed to encrypt some of the information in our system, such as administrative and research data,” he recalls. As the data were backed up, it was possible to recover most of them.
In 2024 alone, CNPEM security systems blocked some 1,800 attacks and 116 million attempts. “In the event of a successful significant attack, the greatest risk is having to halt the function of the institution’s infrastructure and suspend operation of the Sirius synchrotron light source,” he concludes.
The CNPEM team found that the encroachment occurred due to vulnerability in a software item. After the incident it was decided that critical program updates must be conducted on the day they are authorized. The center is also implementing installation of multistep authentication by which the network user, whether an employee or visitor, must provide more than one type of identity verification instead of simply inputting their password. “This is an initial barrier enabling us to know the time, location, and what exactly has been downloaded, helping to trace the origin of any incidents,” says Rogger de Lima, head of information security at CNPEM, hired after the 2022 attack.
The University of Campinas (UNICAMP) suffered an attempted attack last March; the hacker was expelled but caused the campus computer network to run slowly for four days. According to Ricardo Dahab, director of Information and Communication Technology (ICT) at UNICAMP, the university’s computers are scanned daily for malicious software searching for weak points by which to invade. “The worst case would be the leakage of data from research conducted in partnership with companies and protected under confidentiality contracts, or sensitive data on the university’s hospital patients,” he says.
In early 2020 and in 2024, the university suffered large-scale leakages of data on employees, students, and users of a distance assessment system as a result of cyberattacks. In the first, data on 200,000 users were leaked, with 140,000 compromised in the second. Dahab says that the 2020 attack was the institution’s biggest incident to date. “We found an errant software configuration, then analyzed the vulnerabilities and closed several doors,” he says. Another measure involved investing in infrastructure at the institution. “In addition to using the Amazon cloud service, we have our own Unicamp cloud, which stores our primary databases with backup protection.”
A common issue at universities is the autonomy of their laboratories to create websites and pages, storing them on the central servers. “Sites can be created at will, commonly managed by scholarship holders and not maintained after the end of their grant period. This lack of updating opens up security flanks,” Dahab observes, going on to say that when there is no maintenance and a breach occurs, the ICT department has the freedom to take the site down.
To identify vulnerabilities and expand the capacity for anticipating attacks, USP created the Hackers do Bem (Good Hackers) program, offering scholarships to five computer science bachelor’s degree students at IME-USP. Their job is to attack USP systems and find flanks for correction by the IT Office. “It’s a very interesting program because it generates new knowledge, trains students, and helps the university to refine its security,” explains Ferreira. “These scholarship holders have no contact with the technicians monitoring USP computer systems—their work is independent.”
In efforts to prevent losses of data on ongoing research for educational infrastructure, the RNP created a Security Operations Center (SOC), to monitor and neutralize attacks, in 2023. The Center has several layers of protection, one of which monitors denial-of-service attacks, in which a large volume of access requests is sent, overloading and crashing systems. Monitoring is conducted 24 hours a day across the 97 institutions signed up to the center to date and the network’s main infrastructure, the backbone. If successful, this type of attack can disrupt work and research routines. “We’re not talking about a possibility. Cyber incidents will occur,” highlights cybersecurity specialist Ivan Tasso Benevides, Security Operations lead at RNP. Between 2023 and 2024, the number of attacks against the network increased by 56%.
Léo Ramos Chaves / Pesquisa FAPESPCybersecurity staff monitor attempted attacks on the CNPEM, in CampinasLéo Ramos Chaves / Pesquisa FAPESP
The RNP center is housed at the institution’s headquarters in Brasília, with analysts monitoring the network and the deep web, to where leaked data generally go. “This enables a quicker, more effective response,” says Benevides. “We have issued a call for bids to set up three more centers around Brazil by the end of this year. One will be in the city of São Paulo,” he adds.
Before the center became operational, institutions suffering attacks would contact the Security Incident Service Center (CAIS), to which the SOC is linked, for advice on how to proceed. “We would await contact from institutions to support them. Now we have a proactive approach and can thwart attacks before they occur at institutions associated to the Network,” observes Benevides. They can opt to sign up to the SOC system, using one of our packages:
the first, and most basic, is free, with options for paid intermediate and advanced features.
Benevides recalls a recent case dealt with by the RNP: an educational institution came close to having its network invaded after an employee used the institution’s credentials—corporate email addresses and passwords—to register on another website. There was a leak, and the information found its way to the deep web. In another case, a university in Brazil’s North region was targeted by a hacker who erased data—the backup had not been updated for two months. “They lost everything that had been done in that period.”
Denial-of-service attacks are the most frequently recurring among institutions associated with the RNP, says Benevides. The second most frequent type of attack is phishing, a ploy to get users to click on false forms and provide data and passwords. In third place is ransomware, as suffered by IPEN.
The CNPEM was among institutions signing up to the RNP SOC as a service to supplement internal security measures. Campos, of the CNPEM, says that the team has procured information from other international research centers to ensure the cybersecurity of the Orion project, a laboratory complex for advanced virus and bacteria research, with facilities of maximum biological containment (biosafety level NB4), the first in the world connected to a synchrotron light source (see interview). Their critical systems, such as air conditioning, are set to be automated, with failsafe and interference protection essential to safeguard the biological material.
The story above was published with the title “Computers at risk” in issue 352 of April/2025.
Republish
