Cybercriminals have found a new way to extort universities -- stealing sensitive information and then threatening to share it on the dark web unless a bounty is paid.
Three institutions were successfully targeted by hackers using this approach in the past two weeks. The first was Michigan State University, then the University of California, San Francisco, and, most recently, Columbia College Chicago.
None of the institutions have shared how much ransom was requested. All were targeted using malicious software known as NetWalker and given a deadline of six days to pay.
A blog run by the cybercriminals behind NetWalker reportedly boasts that stolen information from the institutions includes Social Security numbers, among other sensitive information. Twitter users such as Ransom Leaks have shared screenshots of sample data shared on the blog, which include passports and banking details.
Michigan State University stated publicly that it would not pay ransom to the hackers last week -- an unusual declaration, as many institutions do not choose to make their response to ransom demands public. On June 4, hackers reportedly began publishing the data they stole from Michigan State, making it available to download on the dark web.
“Payment to these criminals only allows these crimes to be perpetuated and further target other victims,” said Dan Ayala, interim chief information security officer at Michigan State, in an email. He added that the decision not to pay was in accordance with law enforcement guidance and reached with support from the university’s Board of Trustees and president.
The Michigan State attack was limited to the institution’s physics and astronomy unit. It is not known at this time how much information the hackers were able to access, nor how much has been leaked now that the hacker’s deadline has passed. Ayala said he was unable to share many details about the attack to “protect the integrity of the ongoing investigation.”
Students, faculty and staff are receiving updates on the situation as it unfolds, Ayala said.
"We continue to provide updates to all students, faculty and staff on our ongoing investigation with information that we are able to share, when we are able to share it," he said. "These communications also include best practices for personal cybersecurity and ways to protect your identity if it has become compromised. We are working with outside services to finalize identity theft protection services for affected individuals."
The decision not to pay the ransom has been “generally supported by the MSU community, especially with the understanding that paying such amounts perpetuates the practice,” Ayala said. But students are understandably concerned about what information may have been stolen, said Brianna Aiello, vice president for academic affairs at the Associated Students of Michigan State University, the institution's student government organization.
“From what I’ve gathered from students on social media, many have been sharing an article pertaining to the ransomware attack and seem to be nervous as to what information could be leaked,” Aiello said in an email. “Not too many have commented on how MSU has chosen not to pay the ransom. Overall, though, it is hard to gather feelings about this issue because we are not on campus right now.”
To Pay or Not to Pay?
Columbia College Chicago and the University of California, San Francisco, appear to have taken a different approach in responding to the attack, said Brett Callow, threat analyst at cybersecurity solutions company Emsisoft. “Their data is no longer on the NetWalker blog, suggesting that they either paid the ransom or negotiated to have the information taken down,” he said.
Neither institution responded to questions on whether or not they paid the ransom demanded by hackers or addressed the scale of the breaches. Like Michigan State, both institutions stated they were unable to share much information, as investigations are ongoing.
The University of California, San Francisco, shared a statement that confirmed “an illegal intrusion into a specific area of our IT environment” was identified June 1.
UC San Francisco is one of the research institutions leading efforts in the U.S. to find possible treatments for COVID-19. Several media reports have suggested that this research and potentially lucrative associated intellectual property may have made the institution an attractive target for hackers.
The university has not confirmed the target of the attack.
“We believe our actions isolated the intrusion to the area that was targeted,” the university said in a statement. “Importantly, our patient care delivery operations are not impacted, and the incident does not affect our overall campus network.”
“We have engaged an IT security firm and have reached out to law enforcement. With their assistance, we are conducting a thorough assessment of the incident, including a determination of what, if any, information may have been compromised,” the statement continues. “In order to preserve the integrity of the investigation, we will need to limit what we can share at this time.”
An Evolving Threat
Historically, malicious software known as ransomware has been used by hackers to block access to computer networks and files -- causing huge inconvenience to the target. Access could be restored by paying a ransom to the hackers, or the target could choose to rebuild and replace the systems and information that were lost -- a potentially arduous and expensive process, depending on the scale of the attack.
Successful ransomware attacks are relatively unusual in higher ed, but they do happen. Monroe College was among a handful of institutions subjected to high-profile ransomware attacks last year. The impact on the college was huge -- students, faculty and staff members were unable to access the university website, learning management system or email for several days.
In response to these kinds of attacks, more organizations have invested in systems to back up their data, meaning that if access to information is blocked, the data are not lost. This has forced hackers to change their tactics, Callow said. In late 2019, hackers using ransomware began not just blocking access to information but threatening to share it on the dark web -- harming the reputation of the organization or institution involved.
Sometimes hackers won’t just publish information to the dark web but offer to sell it to the highest bidder, Callow said. He noted that there are no guarantees when dealing with hackers -- they may sell stolen information even if they get the ransom money they ask for.
“You can’t take them at their word,” he said.
Higher education institutions are required by law to protect student information, but have a long history of "really bad breaches of information" which are not always handled well, said Amelia Vance, director of youth and education privacy at the Future of Privacy Forum.
Often institutions are required to report data breaches at the state level. Suspected breaches must also be reported to the U.S. Department of Education, but there is some confusion about what constitutes a reportable data breach, said Vance. "If you read the guidance, there is a lack of clarity. It could cover everything. But there are plenty of clear-cut breaches, and I would characterize these recent incidents as breaches."
Preventing Future Attacks
One way that institutions can try to prevent sensitive data from being leaked is to ensure they do not hold on to information they don't need, said Vance. "We need institutions to continuously practice good data hygiene," she said.
Another option would be for colleges to encrypt sensitive information they are required to keep. This would make stolen information virtually worthless on the dark web since it would cost time and money for criminals to crack the encryption, said Vance. The problem with encrypting everything at the institutional level is usability. "If a system is overly complicated, people will just go around whatever the system is," said Vance. "It is a difficult balance to find the right way for institutions to do this."
Universities, unlike many companies, are unusual in that they often try to maintain relatively open networks to encourage collaboration and ease of use, said Mike Stanfield, senior security analyst at the Center for Applied Cybersecurity Research at Indiana University. Maintaining openness while trying to secure a network is incredibly difficult, he said.
Right now many faculty members are working from home on networks that may not be secure, making college IT leaders’ jobs even more difficult. “These attacks are coming at a really bad time, many people are working from home, we have all these porous perimeters," he said.
Many ransomware attacks are the result of phishing emails, where users click a link and inadvertently download malicious software. In recent months, phishing emails have used the fear and confusion relating to the COVID-19 pandemic to their advantage. To stop phishing emails from being successful, institutions can train college employees to identify suspicious-looking emails, said Stanfield. Two-factor identification is an important defense, too, he said.
Brian Kelly, director of cybersecurity at Educause, agreed these are important steps, but they may not necessarily defend against the NetWalker attacks. Publicly, CIOs may not be sharing much information about how these attacks take place and the indicators they are looking for, but there are networks where IT leaders are sharing information, such as the REN-ISAC network based out of Indiana University. "We can help each other without tipping off a hacker that we're on to them," said Kelly.
Kelly and Stanfield agreed it is important for IT leaders in higher ed to be monitoring these networks and talking to their peers. Cyberattacks are constantly evolving, and failure to keep up with new intelligence can have dire consequences.
“It’s a constant game of cat and mouse,” said Kelly. “As soon as we understand one threat, a new one emerges."