The Ruđer Bošković Institute (RBI), the largest Croatian science and technology research institute, has confirmed that it was the one of “at least 9,000 institutions worldwide” that were attacked using the Microsoft SharePoint “ToolShell” vulnerabilities.
The attack happened on Thursday, July 31, 2025, and resulted in the deployment of ransomware.
“The ransomware attack affected part of the network related to the business processes of the [Institute]’s administrative and professional services, and all those documents and databases were encrypted by the attackers,” the organization stated on Monday, and said that they are not planning on paying the ransom.
Instead, they will be “responding to the incident solely through professional and security protocols, with careful upgrades and restoration of data from backups.”
From previous reports, it’s known that the ToolShell vulnerabilities have been exploited to deliver Warlock and 4L4MD4R ransomware.
We’ve reached out to the Institute for more specific information about the attack, and we’ll update this post if they share any.
Remediation efforts are under way
The current IT network system is being brought back online gradually. The Institute’s email system has been brought back online last Friday.
The Institute is also working on building an entirely new IT infrastructure “in accordance with the latest cybersecurity standards”.
A forensic analysis of the incident is still ongoing, with the help of the Ministry of the Interior, the national CERT and other Croatian cybersecurity institutions.
The Croatian Personal Data Protection Agency has been informed of the incident, but it’s still unknown whether the attackers were able to access any personal information.
“If it is determined that personal data was accessed, the Institute will take appropriate measures in a timely manner in accordance with the GDPR,” the Institute concluded.
As a precaution, the Institute’s data protection officer notified the employees last week about the possibility of their personal data (personal identification number, address, etc.), data on expenses and compensations, and other data having been exfiltrated by the attackers, and warned them to be on the lookout for phishing emails impersonating the Institute or relevant authorities.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
.
Source link
