MARCH OF THE HACKS
In February 2024, the Associated Press reported that state-backed Russian hackers “broke into Microsoft’s corporate email system and accessed the accounts of members of the company’s leadership, as well as those of employees on its cybersecurity and legal teams.” IT professionals likely remember the infamous SolarWinds security hack that began in 2019 and wasn’t publicly reported until December 2020. SolarWinds provides SaaS solutions for infrastructure, supply chain management and network administration. Russian hackers, known infamously as Cozy Bear, hacked into a backdoor of software called Orion and gained access to system files without detection. The hackers used a supply chain attack by injecting malicious code into a software update, potentially providing access to confidential information of approximately 18,000 customers. According to a White House press briefing in February 2021 by Anne Neuberger, deputy national security advisor for cyber and emerging technology, nine federal agencies and about 100 private sector companies were compromised. Whatever the final number, the disruption to thousands of customers and the financial cost was significant.
In a blog post last month, the cybersecurity company Proofpoint described another major hack by Cozy Bear that caused a major user data leak affecting Microsoft Azure security. The hackers effectively used phishing methods to steal credentials and take over cloud accounts to gain access to Microsoft 365 applications, as well as Office Home.
As of March 2024, Microsoft is still trying to evict this hacker group. The headline of a March 9 article in Fortune magazine says it plainly: “Microsoft admits Russian state hack still not contained. ‘This has tremendous national security implications.’” Why is this cyber breach so dangerous? It turns out the hackers “used data obtained in the intrusion … to compromise some source-code repositories and internal systems,” according to Fortune. The hackers simply utilized individual phishing emails with shared documents. If customers clicked on embedded links, it would send them a malicious website providing an open door for a security breach. These breaches not only affect Microsoft directly but would likely have a significant impact on higher education through software and server services such as Azure.
HEALTH CARE PAYING A KING’S RANSOM
In February 2024, Change Healthcare, which was recently purchased by UnitedHealth Group, reported some of its systems were “currently unavailable.” Change Healthcare manages such things as health-care payments and insurer requests for care authorization. KFF Health News reported that the company “supports 14 billion clinical, financial and operational transactions annually.” If your college or university is affiliated with a medical unit or department, you may have already experienced the impact. As soon as the breach was recognized, Change Healthcare disconnected their systems from further attack, but by then, it was too late.
According to a March 4 article from Wired magazine about the ransomware attack on Change Healthcare, “a group known as AlphV or BlackCat received a $22 million transaction that looks very much like a large ransom payment.” If there was indeed a ransom paid, it highlights the vulnerability of health care, and a lucrative target for hackers. The fiscal impact of this ransomware attack is staggering. Carter Groome, CEO of the digital risk management company First Health Advisory, told CNN earlier this month that some health-care providers are losing more than $100 million per day on account of this outage.
U.S. CYBERSECURITY AGENCY HACKED
In February 2024, the Cybersecurity and Infrastructure Security Agency (CISA) was hacked, which caused several of its key computer systems to be shut down. One of these systems is used to share cybersecurity assessment tools, while the other system is tied to information on the security of chemical facilities. According to CNN, the hack “occurred through vulnerabilities in popular virtual private networking software made by Utah-based IT firm Ivanti.” This example clearly illustrates no entity is immune to sophisticated cybersecurity attacks, breaches and ransomware events.
HIGHER ED AND LARGE ATTACK SURFACES
While much of the news media continues to focus on corporate cyber attacks, the effect on higher education continues to grow. Higher education is certainly fertile ground for hackers due to its burgeoning footprint, or “attack surface” for potential cyber attacks and data breaches. In a January blog post for the cybersecurity risk management company UpGuard, cybersecurity writer Edward Kost defined an attack surface as “the total sum of all the possible entry points through which an attacker can enter and exploit a system, network or application. It's the collection of all potential vulnerabilities within a particular digital environment.”
At colleges and universities throughout the United States, their digital footprint grows daily as websites are created, edited and reposted. Many of these sites are rarely maintained, and with continually shifting staff, the official repository of web assets can be difficult to track and report. These websites can be associated with student and staff data, research and intellectual property. The scope of the problem is emphasized in the findings of UpGuard’s University 2023 security rating data research:
- The top 1,500 U.S. universities have an average of 244 domains.
- The top 500 universities have an average of 616 domains.
- The top 100 universities have an average of 1,580 domains.
WHAT CAN YOU DO?
To carefully navigate the cyber minefield, an institution must have a strong cybersecurity philosophy, process, protocols and training. Ensuring the campus actively works to minimize its institutional “attack surface” is critical. With fresh staff being hired, leaving or retiring, it is imperative to have solid cybersecurity training, qualified staff, and the necessary cybersecurity tools, software and hardware in place. When an institution works with third-party vendors, it is especially important for it to assess and document how data is stored, how cloud services are assessed for security and privacy requirements, and what cybersecurity protocols and practices vendors have, which are continually reviewed. Lastly, clear and concise communications to campus stakeholders is important, coupled with strong campus leadership which continually advocates and strengthens the institution’s cyber philosophy.
Although March 2024 was a particularly cyber-centric month, there is reason to believe the rest of the year will bring new and unprecedented cyber breaches. Cybersecurity is not a one-and-done proposition. Let’s march through the rest of the year by being informed, determined and proactive.
Editor's Note: A previous version of this story said the SolarWinds hack affected 20,000 customers. It has been updated to reflect that approximately 18,000 customers downloaded the affected software update, and an estimated 100 companies were successfully hacked.
