U-M may have good reason to be tight-lipped
2020 California cyberattack case a cautionary tale
University of Michigan officials offered no motive for what one regent, who said he was briefed on this week’s internet outage, reportedly described as a “targeted attack” on three of its campuses’ online systems nor has a suspect been identified.
But even if that is known, there may be good reason not to disclose it if anything like what happened in 2020 to the University of California-San Francisco is in play here.
What makes the 2020 case especially unusual is that not only did UCSF fall victim to an attack, but the private back-and-forth ransom negotiations were also leaked to a news organization, adding to the university’s violation and embarrassment.
It also shows, as UCSF warned in 2020, “the growing use of malware by cyber-criminals around the world seeking monetary gain, including several recent attacks on institutions of higher education.”
Experts say universities, schools, governments, hospitals, businesses and even the military are increasingly vulnerable to cyberattacks and ransomware, an effort to extort money by threatening to lock out systems or release sensitive information. They also say that agreeing to an attacker’s demands is often a bad idea.
Still, while the California case might not be representative of what is happening at U-M, it shows what kind of cyber dangers exist and the need for digital security and offers insight into why victims are reluctant to discuss the details of the cyberattack.
Regent Paul Brown was quoted Tuesday saying that the cyberattack was aimed at U-M.
And U-M President Santa Ono was more circumspect but disclosed that public safety and “federal law enforcement partners” had become involved, but also suggested that sharing too much information could “compromise the investigation.”
‘Significant progress’ on outage
U-M said Tuesday afternoon after three days of the outage that its cybersecurity experts have made “significant progress” during the past day, and that all students, faculty and staff “can now authenticate into their U-M accounts and access umich.edu when using offcampus and cellular networks.”
But without knowing everything that U-M is dealing with, that progress could be just one of many hurdles.
U-M officials have made no mention of any kind of ransomware or an extortion attempt, and neither the FBI nor Homeland Security, two federal agencies that potentially could be involved with investigating cybercrimes, would confirm to the Free Press involvement in an investigation.
The state Attorney General’s Office told the Free Press that it wasn’t investigating the U-M attack.
Still, in the 2020 case, UCSF said it detected a security incident in what it said was “a limited part” of its school of medicine’s information technology environment. It quarantined several systems as a precaution and isolated the incident from the network.
UCSF said it “stopped the attack as it was occurring.”
But the attackers, identified in news reports as Netwalker, also managed to launch malware, or damaging viruses, that encrypted servers and made them temporarily inaccessible unless the university paid a ransom. The second cyberstrike locked down vital information, and, UCSF said, forced it to pay $1.14 million as a part of the ransom demand.
Reporting ransom negotiations
In the California case, UCSF said it made a difficult choice, but, in the end, decided the encrypted data was just too important to “some of the academic work we pursue as a university serving the public good.”
UCSF’s humiliation, however, didn’t stop there.
The London-based BBC News said in its reporting that an anonymous tip allowed the British news outlet to follow the ransom negotiations between Netwalker and the university. The back-and-forth dealmaking unfolded, the BBC said, over hours “in a live chat on the dark web.”
For the negotiations, the BBC reported, there was a countdown clock, which created pressure. The university asked for more time and begged to bring down the ransom demand. The amount started, the BBC reported, at $3 million. The university countered with $780,000.
The attackers balked.
So UCSF upped its offer to $1.02 million. The attackers said anything below $1.5 million was too low.
UCSF finally offered a little more than $1.14 million and, the next day, sent Netwalker bitcoin.
UCSF said just after the cyberattack it was “working with a leading cyber-security consultant and other outside experts to investigate the incident and reinforce our IT systems’ defenses.”
And in 2021, the FBI announced a coordinated international effort to disrupt Netwalker, which the federal agency said has affected several groups, including municipalities, hospitals, police and colleges and universities. It added, as advice, that coming forward as soon as possible after an attack boosts the chances of catching the criminal.
U-M President Santa Ono disclosed that public safety and “federal law enforcement partners” had become involved, but also suggested that sharing too much information could “compromise the investigation.”