{"id":568158,"date":"2025-11-18T15:50:10","date_gmt":"2025-11-18T18:50:10","guid":{"rendered":"https:\/\/revistapesquisa.fapesp.br\/?p=568158"},"modified":"2025-11-18T15:50:10","modified_gmt":"2025-11-18T18:50:10","slug":"cyberattacks-on-universities-and-scientific-institutions-on-the-rise-in-brazil","status":"publish","type":"post","link":"https:\/\/revistapesquisa.fapesp.br\/en\/cyberattacks-on-universities-and-scientific-institutions-on-the-rise-in-brazil\/","title":{"rendered":"Cyberattacks on universities and scientific institutions on the rise in Brazil"},"content":{"rendered":"

The first warning came on the night of Friday, March 28, via a cybersecurity software application: a hacker attack was underway against the network of computers and servers at the Nuclear and Energy Research Institute (IPEN) in S\u00e3o Paulo. The IT team was deployed and had to cut off all IPEN communications to contain its spread to other devices at the institute: access to the internet, telephone, and the internal network itself, interrupting the data flow in its computers. The institute consequently suspended all its activities in both research and the production of radiopharmaceuticals, essential for treating cancer patients, for ten days. The aftermath goes on. \u201cIt\u2019s going to take us three months to assess everything potentially affected and return to full activity,\u201d says Pedro Maffia, institutional management director at the National Nuclear Energy Commission (CNEN), of which IPEN is a member.<\/p>\n

It has not yet been possible to estimate the full extent of the damage caused by the incident, but R$2.5 million in input sales has certainly been lost. The attack was conducted using ransomware, which employs malicious software to control and block the institution\u2019s computer files using cryptography and demands payment to reestablish access. \u201cThey left a message with a ransom demand to be paid in bitcoin. At no time did we consider negotiating with these criminals,\u201d he adds. Researchers able to work remotely continued with their tasks, partially and with reduced output. \u201cAll activities depending on systems connected to the IPEN network were affected,\u201d says Niklaus Wetter, the Institute\u2019s Research & Development lead.<\/p>\n

Attempted attacks such as the IPEN case are common at educational and research institutions in Brazil. The Ip\u00ea academic network, which connects around 1,800 Brazilian research, innovation, and higher education institutions covering four million users, deals with some 20,000 attempted attacks per month. Most are automatically blocked by the Brazilian National Education and Research Network (RNP), a social organization linked to and managed by the Brazilian Ministry of Science, Technology, and Innovation (MCTI). Some of the more elaborate attacks require direct intervention by cybersecurity staff.<\/p>\n

\u201cEducational and research institutions have been expanding their offer of digital services, and this naturally opens them up to more attacks,\u201d explains Jo\u00e3o Eduardo Ferreira, a researcher at the University of S\u00e3o Paulo\u2019s Institute of Mathematics and Statistics (IME-USP), and IT superintendent at the university. He says that USP continually suffers and monitors attempted cyberattacks, the profile of which has shifted over the last two years. \u201cWhat we have seen is that hackers no longer need equipment to attack, as many rent devices with enhanced computing capacity on the deep web. Another change we have seen is that we are not always dealing with one individual, but groups organizing themselves across different locations; their level of technical knowledge is also increasingly sophisticated.\u201d USP has invested in several strategies to deal with attacks, from building and refining connectivity barriers (firewalls) to sensitive data encryption and the adoption of four-layer software architecture, enabling the development of new functions and troubleshooting without affecting other parts of the system. The COVID-19 pandemic also saw other flanks opening up, with hundreds of employees working from home and logging in remotely.<\/p>\n

It is common for criminals to attempt to install malicious software in devices at research institutions to mine for cryptocurrencies, a process requiring the use of powerful computer systems to solve mathematical problems and receive digital currencies as a reward. \u201cResearch centers and universities are targeted because they usually have computers with considerable processing power. They can also store valuable information, such as patent secrets,\u201d says Dennis Campos, IT manager at the National Center for Research in Energy and Materials (CNPEM) in Campinas, S\u00e3o Paulo State.<\/p>\n

This center experienced such a case some years ago: their monitoring system detected abnormally high memory consumption, and cryptocurrency mining software was discovered in their devices. The institution boosted its information security team after suffering another cyberattack over a weekend in February 2022 using ransomware, as in the case at IPEN. \u201cThe criminals had managed to encrypt some of the information in our system, such as administrative and research data,\u201d he recalls. As the data were backed up, it was possible to recover most of them.<\/p>\n<\/div>

\n \n \n \n <\/picture>Rodrigo Cunha\u2009\/ Pesquisa FAPESP<\/span><\/div>
\n

In 2024 alone, CNPEM security systems blocked some 1,800 attacks and 116 million attempts. \u201cIn the event of a successful significant attack, the greatest risk is having to halt the function of the institution\u2019s infrastructure and suspend operation of the Sirius synchrotron light source,\u201d he concludes.<\/p>\n

The CNPEM team found that the encroachment occurred due to vulnerability in a software item. After the incident it was decided that critical program updates must be conducted on the day they are authorized. The center is also implementing installation of multistep authentication by which the network user, whether an employee or visitor, must provide more than one type of identity verification instead of simply inputting their password. \u201cThis is an initial barrier enabling us to know the time, location, and what exactly has been downloaded, helping to trace the origin of any incidents,\u201d says Rogger de Lima, head of information security at CNPEM, hired after the 2022 attack.<\/p>\n

The University of Campinas (UNICAMP) suffered an attempted attack last March; the hacker was expelled but caused the campus computer network to run slowly for four days. According to Ricardo Dahab, director of Information and Communication Technology (ICT) at UNICAMP, the university\u2019s computers are scanned daily for malicious software searching for weak points by which to invade. \u201cThe worst case would be the leakage of data from research conducted in partnership with companies and protected under confidentiality contracts, or sensitive data on the university\u2019s hospital patients,\u201d he says.<\/p>\n

In early 2020 and in 2024, the university suffered large-scale leakages of data on employees, students, and users of a distance assessment system as a result of cyberattacks. In the first, data on 200,000 users were leaked, with 140,000 compromised in the second. Dahab says that the 2020 attack was the institution\u2019s biggest incident to date. \u201cWe found an errant software configuration, then analyzed the vulnerabilities and closed several doors,\u201d he says. Another measure involved investing in infrastructure at the institution. \u201cIn addition to using the Amazon cloud service, we have our own Unicamp cloud, which stores our primary databases with backup protection.\u201d<\/p>\n

A common issue at universities is the autonomy of their laboratories to create websites and pages, storing them on the central servers. \u201cSites can be created at will, commonly managed by scholarship holders and not maintained after the end of their grant period. This lack of updating opens up security flanks,\u201d Dahab observes, going on to say that when there is no maintenance and a breach occurs, the ICT department has the freedom to take the site down.<\/p>\n

To identify vulnerabilities and expand the capacity for anticipating attacks, USP created the Hackers do Bem (Good Hackers) program, offering scholarships to five computer science bachelor\u2019s degree students at IME-USP. Their job is to attack USP systems and find flanks for correction by the IT Office. \u201cIt\u2019s a very interesting program because it generates new knowledge, trains students, and helps the university to refine its security,\u201d explains Ferreira. \u201cThese scholarship holders have no contact with the technicians monitoring USP computer systems\u2014their work is independent.\u201d<\/p>\n

In efforts to prevent losses of data on ongoing research for educational infrastructure, the RNP created a Security Operations Center (SOC), to monitor and neutralize attacks, in 2023. The Center has several layers of protection, one of which monitors denial-of-service attacks, in which a large volume of access requests is sent, overloading and crashing systems. Monitoring is conducted 24 hours a day across the 97 institutions signed up to the center to date and the network\u2019s main infrastructure, the backbone. If successful, this type of attack can disrupt work and research routines. \u201cWe\u2019re not talking about a possibility. Cyber incidents will occur,\u201d highlights cybersecurity specialist Ivan Tasso Benevides, Security Operations lead at RNP. Between 2023 and 2024, the number of attacks against the network increased by 56%.<\/p>\n

\"\"

L\u00e9o Ramos Chaves\u2009\/ Pesquisa FAPESP<\/span>Cybersecurity staff monitor attempted attacks on the CNPEM, in CampinasL\u00e9o Ramos Chaves\u2009\/ Pesquisa FAPESP<\/span><\/p><\/div>\n

The RNP center is housed at the institution\u2019s headquarters in Bras\u00edlia, with analysts monitoring the network and the deep web, to where leaked data generally go. \u201cThis enables a quicker, more effective response,\u201d says Benevides. \u201cWe have issued a call for bids to set up three more centers around Brazil by the end of this year. One will be in the city of S\u00e3o Paulo,\u201d he adds.<\/p>\n

Before the center became operational, institutions suffering attacks would contact the Security Incident Service Center (CAIS), to which the SOC is linked, for advice on how to proceed. \u201cWe would await contact from institutions to support them. Now we have a proactive approach and can thwart attacks before they occur at institutions associated to the Network,\u201d observes Benevides. They can opt to sign up to the SOC system, using one of our packages:
\nthe first, and most basic, is free, with options for paid intermediate and advanced features.<\/p>\n

Benevides recalls a recent case dealt with by the RNP: an educational institution came close to having its network invaded after an employee used the institution\u2019s credentials\u2014corporate email addresses and passwords\u2014to register on another website. There was a leak, and the information found its way to the deep web. In another case, a university in Brazil\u2019s North region was targeted by a hacker who erased data\u2014the backup had not been updated for two months. \u201cThey lost everything that had been done in that period.\u201d<\/p>\n

Denial-of-service attacks are the most frequently recurring among institutions associated with the RNP, says Benevides. The second most frequent type of attack is phishing, a ploy to get users to click on false forms and provide data and passwords. In third place is ransomware, as suffered by IPEN.<\/p>\n

The CNPEM was among institutions signing up to the RNP SOC as a service to supplement internal security measures. Campos, of the CNPEM, says that the team has procured information from other international research centers to ensure the cybersecurity of the Orion project, a laboratory complex for advanced virus and bacteria research, with facilities of maximum biological containment (biosafety level NB4), the first in the world connected to a synchrotron light source (see interview<\/em>). Their critical systems, such as air conditioning, are set to be automated, with failsafe and interference protection essential to safeguard the biological material.<\/p>\n

The story above was published with the title “Computers at risk<\/strong>” in issue 352 of April\/2025.<\/p>\n","protected":false},"excerpt":{"rendered":"Attacks against the National Education and Research System increased by 56% between 2023 and 2024","protected":false},"author":684,"featured_media":553815,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"footnotes":""},"categories":[166],"tags":[219,264,2413],"coauthors":[2721],"class_list":["post-568158","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-policies-st-en","tag-computation","tag-information-technology","tag-technology"],"acf":[],"_links":{"self":[{"href":"https:\/\/revistapesquisa.fapesp.br\/en\/wp-json\/wp\/v2\/posts\/568158","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/revistapesquisa.fapesp.br\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/revistapesquisa.fapesp.br\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/revistapesquisa.fapesp.br\/en\/wp-json\/wp\/v2\/users\/684"}],"replies":[{"embeddable":true,"href":"https:\/\/revistapesquisa.fapesp.br\/en\/wp-json\/wp\/v2\/comments?post=568158"}],"version-history":[{"count":1,"href":"https:\/\/revistapesquisa.fapesp.br\/en\/wp-json\/wp\/v2\/posts\/568158\/revisions"}],"predecessor-version":[{"id":568171,"href":"https:\/\/revistapesquisa.fapesp.br\/en\/wp-json\/wp\/v2\/posts\/568158\/revisions\/568171"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/revistapesquisa.fapesp.br\/en\/wp-json\/wp\/v2\/media\/553815"}],"wp:attachment":[{"href":"https:\/\/revistapesquisa.fapesp.br\/en\/wp-json\/wp\/v2\/media?parent=568158"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/revistapesquisa.fapesp.br\/en\/wp-json\/wp\/v2\/categories?post=568158"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/revistapesquisa.fapesp.br\/en\/wp-json\/wp\/v2\/tags?post=568158"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/revistapesquisa.fapesp.br\/en\/wp-json\/wp\/v2\/coauthors?post=568158"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}