[BreachExchange] Cyberattacks Mar Start of Academic Year

Destry Winant destry at riskbasedsecurity.com
Fri Aug 30 00:48:01 EDT 2019


The start of the new academic year can be a challenging time on any
college campus, but the start of the fall term at Regis University was
unlike any other.

Students arrived at the private university in Denver to find the
institution's internet, email, phones and website shut down following
the discovery of a cyberthreat last Thursday.

IT staff at Regis are working “around the clock” to get things back to
normal, John P. Fitzgibbons, president of the university, said in a
letter to the campus last week posted on a temporary website created
to provide students' updates on the outage. Temporary phone lines have
also been established to respond to students' questions and concerns.

“I want to sincerely thank you for your continued patience and grace
as our IT teams work with third-party forensics experts and law
enforcement to investigate and resolve this situation,” Fitzgibbons
wrote. “We understand this has been disruptive to normal daily
operations. Unfortunately, this type of incident is increasingly
common, which is why we are working diligently to protect and restore
our systems as safely as possible.”

Fitzgibbons said IT staff detected an “external malicious threat that
likely originated outside the country” and “as a matter of precaution
and in order to fully investigate the potential issue, we proactively
shut down our IT systems, including phones, email and our website.”

He did not share any further details on the nature of the attack.

On Twitter, the university’s social media managers remained upbeat.
“We’re not going to let some technology hiccups get in the way of
welcoming the Class of 2023 to Regis in style,” they tweeted Friday.
But students are nonetheless raising serious questions, including
whether exams will be delayed and how they should pay tuition.

Jennifer Forker, director of communications at Regis, said it is still
too soon to know the nature of the attack. She acknowledged there are
some challenges, but said things are running "pretty smoothly" on
campus. She doesn't know when the university will be back online.
"Hopefully soon," she said.

Regis is not the only university to suffer from a crippling
cyberattack just before the start of the new academic year. The
Stevens Institute of Technology reported on Aug. 10 that it was the
victim of a “very severe and sophisticated” cyberattack.

Precautionary Measures

As at Regis, IT staff at Stevens intentionally disabled the college's
network and some systems in response to the attack. The university, a
private institution in Hoboken, N.J., known for the strength of its
cybersecurity program, remained off-line for a week.

“We understand there have been questions about data security,” wrote
Nariman Farvardin, president of Stevens, in a letter to the campus
Aug. 18. “Although our investigation of the incidence is ongoing, at
this point we have no reason to believe that employee or student data
was compromised as a result of the attack.”

On Aug. 20, the university announced that critical systems such as
email and the student information system had been restored. A new
Wi-Fi network was successfully deployed Aug. 21. Classes began as
scheduled Aug. 26.

Thania Benios, director of public relations at Stevens, said in an
email that the cyberattack had involved ransomware, but the quick
actions of Stevens’s IT staff prevented the need to respond to any
ransom demand.

Ransomware is often installed after an unwitting victim clicks on a
fraudulent link in a phishing email. The malicious software then
encrypts and blocks access to computer files that the user has
permission to access. Hackers can then demand payment for an
encryption key.

Christian Schreiber, solutions architect at cybersecurity company
FireEye, said there are a couple of reasons why universities might
choose to disable their own networks and systems after a cyberthreat
is detected.

“Victims of attacks like ransomware often focus on containing the
damage and returning to normal operations as quickly as possible
rather than conducting a detailed (and expensive) investigation into
how the attack occurred,” he said.

Schreiber said taking systems off-line could serve a couple of purposes.

“First, it helps mitigate further damage by preventing the attack from
spreading. Second, taking systems off-line can simplify the recovery
process when an institution enacts its disaster-recovery plans,” he
said in an email. "By preventing users from interacting with the
systems, IT teams can more easily perform tasks like data recovery,
bulk password resets and testing of new security protocols.”

Ben Woelk, information security office program manager at the
Rochester Institute of Technology, said the decision to disable
networks and systems is not taken lightly but is sometimes essential
to prevent the spread of an attack and carefully analyze other systems
to ensure they aren’t vulnerable.

“Universities absolutely don’t want to take down their systems at the
beginning of classes,” he said.

Jared Phipps, vice president of worldwide sales engineering for
cybersecurity company SentinelOne, agreed that taking everything
off-line is “not something that an institution would ideally do,” but
it may be the best solution given limited budgets and staff.

Recovering from a ransomware attack can take over a week, even after
purchasing an encryption key to unlock content, said Phipps. These
attacks are typically coming from criminal groups in China, Vietnam
and Eastern Europe, he said.

“It’s not just colleges that are being targeted -- if you’re online,
you’re in the crossfire,” said Phipps.

He noted that colleges in particular face difficult security
challenges. “I don’t think these criminals are particularly targeting
colleges, but [colleges] do have a lot of computing power, a lot of
openness in their networks and a lot of people accessing data. It’s
surprising, actually, that you don’t hear about it more. They’re in a
prime environment to be affected by these attacks.”

Bad Timing

Higher education institutions, police departments and city governments
have all made the news in recent months because of high-profile
ransomware attacks.

Monroe College, a for-profit institution in New York City, was asked
just last month to pay a ransom of around $2 million in bitcoin to
restore access to the college’s website, learning management system
and email. The institution has not said whether it chose to pay the

It is not known whether the Regis cyberattack also involved
ransomware, but if it did, it could represent a worrying trend of
criminals targeting colleges while they are busy preparing to welcome
new students.

“It surely could be coincidental, but my gut is telling me it isn’t,”
said Michael Corn, chief information security officer at the
University of California, San Diego.

“The start of the school year is an exceptionally busy time for
schools, and the hackers may assume their activities would go
unnoticed at this time when staff are otherwise preoccupied,” said
Corn. “Unless, of course, the goal itself is disruption, in which case
this would be one of the most damaging times to launch an attack.”

Universities have been targeted in the past with disruption campaigns
such as denial-of-service attacks during peak periods such as class
registration or final exams, said Schreiber.

“While we’ve seen a shift where ransomware attacks have become more
targeted and planned, we haven’t seen a broader campaign targeting
universities during the fall return to campus,” he said.

Schreiber recommends that universities implement network segmentation
and strengthen their access controls to reduce the impact of
ransomware attacks.

“Adopting multifactor authentication for remote access can drastically
reduce exposure to outside attackers,” said Schreiber. He added that
off-site backup and recovery solutions are vital to restoring systems
-- and institutions should regularly test their recovery plans to
ensure they can get back online quickly.

“I do have some sympathy for these institutions,” said Phipps.
“Defending a university whilst maintaining openness is difficult. It
is possible, but it’s challenging.”

More information about the BreachExchange mailing list