Multiple higher education institutions have now confirmed they were victims of data theft related to a security flaw in file transfer software sold by IT security company Accellion, but the true scale of the data breach is still not fully understood.
Sensitive information from the University of California system, Yeshiva University, the University of Miami, the University of Colorado, Stanford University’s School of Medicine and the University of Maryland, Baltimore, was recently discovered on the dark web in connection to the Accellion cyberattack, which took place earlier this year.
All institutions have confirmed they are customers of Accellion and are actively investigating the incident.
Data files that include personal information such as Social Security numbers were stolen from the universities and made available to download via a website called Cl0p that is run by cybercriminals. A sample of documents reviewed by Inside Higher Ed included academic transcripts, medical records, research grants and employment contracts.
The Cl0p website is known to publish samples of stolen data and then demand a ransom not to publish the rest of the information.
So far, no institution has said it was affected by a ransomware attack, although institutions have reported differing experiences. The University of Maryland, Baltimore, received no ransom note, and no software was placed on its system, according to a spokesperson. The University of California system warned that threatening mass emails have circulated, however.
A vulnerability in Accellion’s file transfer software was first exploited by cybercriminals in December 2020 and then again in January 2021, a recent report commissioned by Accellion from cybersecurity forensics company FireEye found.
More than 3,000 organizations including companies, government agencies, hospitals and universities are customers of Accellion, which markets itself as a specialist in secure file sharing.
The Cl0p website has been publishing data from the Accellion breach on a staggered basis with some organizations seeing around 50 folders of stolen data published in installments, said Brett Callow, threat analyst at cybersecurity company Emsisoft, in an email. He noted the website is still adding new victims -- which could include more universities.
Cybercriminal groups such as Cl0p, Ryuk, Netwalker and DoppelPaymer that share data on .onion domain websites are commonly associated with ransomware attacks -- a strategy where malicious software is used to block access to computer systems until a ransom is paid. Recently, this extortion strategy has evolved to criminals not only demanding payment in exchange for restoring access but also payment to stop the publication or sale of sensitive information.
The data stolen in relation to the Accellion data breach is the latest example of the evolving cyberthreat facing universities. Just last month, the FBI's Cyber Division warned that educational institutions are being targeted in ransomware attacks, and the IRS warned of a tax refund scam targeting .edu email addresses. Moody's Investors Service declared last week that cyberattacks targeting higher education pose an increasing credit risk for universities since classes and essential operations can easily be disrupted.
The University of Maryland, Baltimore, discovered that stolen information was being shared on the Cl0p website following “a wave of phishing attacks on our network,” said Alex Likowski, director of media relations for the university.
“We immediately shut down all traffic from the IP address in question, then investigated the source of the attacks. That investigation led us to a site that indicated a limited number of UMB files had been compromised,” Likowski said.
Since learning of the breach, UMB has contacted all individuals affected as well as state and federal law enforcement, Likowski said.
“We have also explained the issue to our entire campus community,” Likowski said. “We will continue to monitor the hackers’ site and watch for other signs of illegal activity.”
Accellion has fixed all known vulnerabilities in the file transfer application software that cybercriminals attacked, said Jonathan Yaron, the company's chief executive officer, in an online statement published at the beginning of March.
The affected Accellion software has been described as a legacy product for which the company was already planning to retire support. Its end-of-life date has now been brought forward to the end of this month, Yaron said in a statement.
What Can Universities Do?
Monitoring the dark web, including websites such as Cl0p, is part of most colleges' and universities’ regular security operations, said Brian Kelly, director of cybersecurity for Educause, a membership organization for IT professionals in higher education.
“Monitoring for this type of information is part of a holistic cybersecurity strategy and provides indicators of compromise beyond ransomware,” said Kelly.
The Research and Education Networks Information Sharing and Analysis Center, or REN-ISAC, at Indiana University plays an important role in helping institutions stay on top of cyberthreats, Kelly said.
REN-ISAC monitors the dark web and sends reports to higher education institutions thought to be the victims of attacks. Within Educause, cybersecurity professionals also support each other by sharing information on threats and responses, as well as discussing best practices, Kelly said.
Accellion customers are encouraged to upgrade to a new file transfer platform called Kiteworks if they have not done so already, CEO Yaron said.
Some higher education institutions indicated that they stopped using Accellion’s file transfer software as soon as they learned of the data security incident.
“We are still in the process of investigating the nature and scope of this incident, but we are aware that the vulnerability may have resulted in unauthorized access to files stored on the Accellion platform,” a Yeshiva University spokesperson said in an email. “We have confirmed that this incident is limited to the Accellion application and there has not been any unauthorized access to Yeshiva’s computer systems.”
The University of Miami followed a similar approach.
“As soon as we became aware of the incident, we took immediate action to investigate and contain it, including immediately disabling the Accellion server used for secure file transfers,” Megan Ondrizek, executive director of communications and public relations for Miami, said in an email. “Based on our investigation to date, the incident was limited to the Accellion server used for secure file transfers and did not compromise other University of Miami systems or affect outside systems.”
Both Miami and Yeshiva said they are working to identify which files were stolen and will notify any individuals whose personal information may have been accessed by unauthorized parties.