Cybercriminals have found a new way to extort universities -- stealing sensitive information and then threatening to share it on the dark web unless a bounty is paid.
Three institutions were successfully targeted by hackers using this approach in the past two weeks. The first was Michigan State University, then the University of California, San Francisco, and, most recently, Columbia College Chicago.
None of the institutions have shared how much ransom was requested. All were targeted using malicious software known as NetWalker and given a deadline of six days to pay.
A blog run by the cybercriminals behind NetWalker reportedly boasts that stolen information from the institutions includes Social Security numbers, among other sensitive information. Twitter users such as Ransom Leaks have shared screenshots of sample data shared on the blog, which include passports and banking details.
Michigan State University stated publicly that it would not pay ransom to the hackers last week -- an unusual declaration, as many institutions do not choose to make their response to ransom demands public. On June 4, hackers reportedly began publishing the data they stole from Michigan State, making it available to download on the dark web.
“Payment to these criminals only allows these crimes to be perpetuated and further target other victims,” said Dan Ayala, interim chief information security officer at Michigan State, in an email. He added that the decision not to pay was in accordance with law enforcement guidance and reached with support from the university’s Board of Trustees and president.
The Michigan State attack was limited to the institution’s physics and astronomy unit. It is not known at this time how much information the hackers were able to access, nor how much has been leaked now that the hacker’s deadline has passed. Ayala said he was unable to share many details about the attack to “protect the integrity of the ongoing investigation.”
Students, faculty and staff are receiving updates on the situation as it unfolds, Ayala said.
"We continue to provide updates to all students, faculty and staff on our ongoing investigation with information that we are able to share, when we are able to share it," he said. "These communications also include best practices for personal cybersecurity and ways to protect your identity if it has become compromised. We are working with outside services to finalize identity theft protection services for affected individuals."
The decision not to pay the ransom has been “generally supported by the MSU community, especially with the understanding that paying such amounts perpetuates the practice,” Ayala said. But students are understandably concerned about what information may have been stolen, said Brianna Aiello, vice president for academic affairs at the Associated Students of Michigan State University, the institution's student government organization.
“From what I’ve gathered from students on social media, many have been sharing an article pertaining to the ransomware attack and seem to be nervous as to what information could be leaked,” Aiello said in an email. “Not too many have commented on how MSU has chosen not to pay the ransom. Overall, though, it is hard to gather feelings about this issue because we are not on campus right now.”
To Pay or Not to Pay?
Columbia College Chicago and the University of California, San Francisco, appear to have taken a different approach in responding to the attack, said Brett Callow, threat analyst at cybersecurity solutions company Emsisoft. “Their data is no longer on the NetWalker blog, suggesting that they either paid the ransom or negotiated to have the information taken down,” he said.
Neither institution responded to questions on whether or not they paid the ransom demanded by hackers or addressed the scale of the breaches. Like Michigan State, both institutions stated they were unable to share much information, as investigations are ongoing.
The University of California, San Francisco, shared a statement that confirmed “an illegal intrusion into a specific area of our IT environment” was identified June 1.
UC San Francisco is one of the research institutions leading efforts in the U.S. to find possible treatments for COVID-19. Several media reports have suggested that this research and potentially lucrative associated intellectual property may have made the institution an attractive target for hackers.
The university has not confirmed the target of the attack.
“We believe our actions isolated the intrusion to the area that was targeted,” the university said in a statement. “Importantly, our patient care delivery operations are not impacted, and the incident does not affect our overall campus network.”
“We have engaged an IT security firm and have reached out to law enforcement. With their assistance, we are conducting a thorough assessment of the incident, including a determination of what, if any, information may have been compromised,” the statement continues. “In order to preserve the integrity of the investigation, we will need to limit what we can share at this time.”
An Evolving Threat
Historically, malicious software known as ransomware has been used by hackers to block access to computer networks and files -- causing huge inconvenience to the target. Access could be restored by paying a ransom to the hackers, or the target could choose to rebuild and replace the systems and information that were lost -- a potentially arduous and expensive process, depending on the scale of the attack.
Successful ransomware attacks are relatively unusual in higher ed, but they do happen. Monroe College was among a handful of institutions subjected to high-profile ransomware attacks last year. The impact on the college was huge -- students, faculty and staff members were unable to access the university website, learning management system or email for weeks.
In response to these kinds of attacks, more organizations have invested in systems to back up their data, meaning that if access to information is blocked, the data are not lost. This has forced hackers to change their tactics, Callow said. In late 2019, hackers using ransomware began not just blocking access to information but threatening to share it on the dark web -- harming the reputation of the organization or institution involved.
Sometimes hackers won’t just publish information to the dark web but offer to sell it to the highest bidder, Callow said. He noted that there are no guarantees when dealing with hackers -- they may sell stolen information even if they get the money they ask for.
“You can’t take them at their word,” he said.
Institutions are often required to report data breaches at the state level, but there is some confusion about what they are supposed to report to the U.S. Department of Education, said Amelia Vance, director of youth and education privacy at the Future of Privacy Forum. There is no ambiguity about whether these attacks would need to be reported, however, said Vance.
“If student passports and Social Security numbers have been leaked, that is a clear breach,” she said. "We need institutions to continuously be looking at good data hygiene -- do you really need to keep all the information you're collecting?"
Preventing Future Attacks
Universities, unlike many companies, are unusual in that they often try to maintain open networks to encourage collaboration and ease of use, said Mike Stanfield, senior security analyst at the Center for Applied Cybersecurity Research at Indiana University. Maintaining openness while trying to secure a network is incredibly difficult, he said.
Right now many faculty members are working from home on networks that may not be secure, making college IT leaders’ jobs even more difficult. “Hackers are taking advantage of this moment. They know barriers are down, people are scared,” Stanfield said.
Many ransomware attacks are the result of phishing emails, where users click a link and inadvertently download malicious software, Stanfield said. One way to try and prevent successful attacks would be to train college employees not to open suspicious-looking email. But multifactor logins are an important defense, too, he said.
Brian Kelly, director of cybersecurity at Educause, agreed these are important steps, but they may not necessarily defend against the NetWalker attacks. Publicly, CIOs may not be sharing much information about how these attacks take place, but there are networks where IT leaders are sharing information, such as the REN-ISAC network based out of Indiana University.
Kelly and Stanfield agreed it is important for IT leaders in higher ed to be monitoring these networks. Cyberattacks are constantly evolving, and failure to keep up with new intelligence can have dire consequences.
“It’s a constant game of cat and mouse,” said Kelly. “As soon as we solve one problem, a new one emerges.”