The start of the new academic year can be a challenging time on any college campus, but the start of the fall term at Regis University was unlike any other.
Students arrived at the private university in Denver to find the institution's internet, email, phones and website shut down following the discovery of a cyberthreat last Thursday.
IT staff at Regis are working “around the clock” to get things back to normal, John P. Fitzgibbons, president of the university, said in a letter to the campus last week posted on a temporary website created to provide students' updates on the outage. Temporary phone lines have also been established to respond to students' questions and concerns.
“I want to sincerely thank you for your continued patience and grace as our IT teams work with third-party forensics experts and law enforcement to investigate and resolve this situation,” Fitzgibbons wrote. “We understand this has been disruptive to normal daily operations. Unfortunately, this type of incident is increasingly common, which is why we are working diligently to protect and restore our systems as safely as possible.”
Fitzgibbons said IT staff detected an “external malicious threat that likely originated outside the country” and “as a matter of precaution and in order to fully investigate the potential issue, we proactively shut down our IT systems, including phones, email and our website.”
He did not share any further details on the nature of the attack.
On Twitter, the university’s social media managers remained upbeat. “We’re not going to let some technology hiccups get in the way of welcoming the Class of 2023 to Regis in style,” they tweeted Friday. But students are nonetheless raising serious questions, including whether exams will be delayed and how they should pay tuition.
Jennifer Forker, director of communications at Regis, said it is still too soon to know the nature of the attack. She acknowledged there are some challenges, but said things are running "pretty smoothly" on campus. She doesn't know when the university will be back online. "Hopefully soon," she said.
Regis is not the only university to suffer from a crippling cyberattack just before the start of the new academic year. The Stevens Institute of Technology reported on Aug. 10 that it was the victim of a “very severe and sophisticated” cyberattack.
As at Regis, IT staff at Stevens intentionally disabled the college's network and some systems in response to the attack. The university, a private institution in Hoboken, N.J., known for the strength of its cybersecurity program, remained off-line for a week.
“We understand there have been questions about data security,” wrote Nariman Farvardin, president of Stevens, in a letter to the campus Aug. 18. “Although our investigation of the incidence is ongoing, at this point we have no reason to believe that employee or student data was compromised as a result of the attack.”
On Aug. 20, the university announced that critical systems such as email and the student information system had been restored. A new Wi-Fi network was successfully deployed Aug. 21. Classes began as scheduled Aug. 26.
Thania Benios, director of public relations at Stevens, said in an email that the cyberattack had involved ransomware, but the quick actions of Stevens’s IT staff prevented the need to respond to any ransom demand.
Ransomware is often installed after an unwitting victim clicks on a fraudulent link in a phishing email. The malicious software then encrypts and blocks access to computer files that the user has permission to access. Hackers can then demand payment for an encryption key.
Christian Schreiber, solutions architect at cybersecurity company FireEye, said there are a couple of reasons why universities might choose to disable their own networks and systems after a cyberthreat is detected.
“Victims of attacks like ransomware often focus on containing the damage and returning to normal operations as quickly as possible rather than conducting a detailed (and expensive) investigation into how the attack occurred,” he said.
Schreiber said taking systems off-line could serve a couple of purposes.
“First, it helps mitigate further damage by preventing the attack from spreading. Second, taking systems off-line can simplify the recovery process when an institution enacts its disaster-recovery plans,” he said in an email. "By preventing users from interacting with the systems, IT teams can more easily perform tasks like data recovery, bulk password resets and testing of new security protocols.”
Ben Woelk, information security office program manager at the Rochester Institute of Technology, said the decision to disable networks and systems is not taken lightly but is sometimes essential to prevent the spread of an attack and carefully analyze other systems to ensure they aren’t vulnerable.
“Universities absolutely don’t want to take down their systems at the beginning of classes,” he said.
Jared Phipps, vice president of worldwide sales engineering for cybersecurity company SentinelOne, agreed that taking everything off-line is “not something that an institution would ideally do,” but it may be the best solution given limited budgets and staff.
Recovering from a ransomware attack can take over a week, even after purchasing an encryption key to unlock content, said Phipps. These attacks are typically coming from criminal groups in China, Vietnam and Eastern Europe, he said.
“It’s not just colleges that are being targeted -- if you’re online, you’re in the crossfire,” said Phipps.
He noted that colleges in particular face difficult security challenges. “I don’t think these criminals are particularly targeting colleges, but [colleges] do have a lot of computing power, a lot of openness in their networks and a lot of people accessing data. It’s surprising, actually, that you don’t hear about it more. They’re in a prime environment to be affected by these attacks.”
Higher education institutions, police departments and city governments have all made the news in recent months because of high-profile ransomware attacks.
Monroe College, a for-profit institution in New York City, was asked just last month to pay a ransom of around $2 million in bitcoin to restore access to the college’s website, learning management system and email. The institution has not said whether it chose to pay the ransom.
It is not known whether the Regis cyberattack also involved ransomware, but if it did, it could represent a worrying trend of criminals targeting colleges while they are busy preparing to welcome new students.
“It surely could be coincidental, but my gut is telling me it isn’t,” said Michael Corn, chief information security officer at the University of California, San Diego.
“The start of the school year is an exceptionally busy time for schools, and the hackers may assume their activities would go unnoticed at this time when staff are otherwise preoccupied,” said Corn. “Unless, of course, the goal itself is disruption, in which case this would be one of the most damaging times to launch an attack.”
Universities have been targeted in the past with disruption campaigns such as denial-of-service attacks during peak periods such as class registration or final exams, said Schreiber.
“While we’ve seen a shift where ransomware attacks have become more targeted and planned, we haven’t seen a broader campaign targeting universities during the fall return to campus,” he said.
Schreiber recommends that universities implement network segmentation and strengthen their access controls to reduce the impact of ransomware attacks.
“Adopting multifactor authentication for remote access can drastically reduce exposure to outside attackers,” said Schreiber. He added that off-site backup and recovery solutions are vital to restoring systems -- and institutions should regularly test their recovery plans to ensure they can get back online quickly.
“I do have some sympathy for these institutions,” said Phipps. “Defending a university whilst maintaining openness is difficult. It is possible, but it’s challenging.”