Skip to content

“Gone Phishing: Service Continuity after a Cyber Attack”

June 30, 2021

On May 20, 2021, ACRL presented the webinar “Gone Phishing: Service Continuity after a Cyber Attack,” which was sponsored by the Scholarly Networks Security Initiative (SNSI). Addressing the increasingly commonplace threat of cyber attacks on higher education institutions, this webinar discussed how many academic libraries are not prepared to handle cyber attacks, whether large-scale or small-scale, the impact such attacks have on operations, and the lasting repercussions on both people and services. Three librarians discussed an initial incident of a cyber attack at their institution, the impact it had on their library (and elsewhere), the lessons learned while recovering from such an attack, the emotional toll inflicted upon the library and its community, and the long-term changes and repercussions once recovery had been obtained.

DID YOU KNOW? The National Cyber Security Center in the United Kingdom places the education sector as the third largest target for cyber attacks – ahead of retail! This is due to the fact that most universities routinely store a tremendous amount of personal data.

The panel of librarians were Erin McCaffrey, Dean of the Library and Director of the Center for Student Success at Regis University; Kristina Vela Bisbee, Journalism and Government Information Librarian at Columbia University; and Romel Espinel, Web Services and Instruction Librarian at Stevens Institute of Technology. Melissa DeWitt, Research and Instruction Librarian with Regis University, served as the moderator. The archived webcast recording is available at: https://www.youtube.com/watch?v=krKOwhZmqYI.

First up in describing a cyber attack experience was Erin McCaffrey. In the early hours of August 22, 2019, Regis University was struck by a cyber attack. All of the technology systems were brought down as precautionary measures, which included telephones, emails, websites, all online programs, and university-owned computer hardware, of which the employees were not able to use for quite some time. There is never a “good” time for a cyber attack, but this one occurred at a particularly busy time for the university, as summer courses were coming to an end, and it also coincided with residential students moving onto campus in preparation for the fall terms. As a result of this attack, summer courses were extended by a week. Residential students started their new semester on August 26th as planned. The university’s residential Wi-Fi network was restored a few days later, causing online and accelerated term courses to be delayed by about a week. On September 1st, the university’s online learning management system was restored, allowing for those online and accelerated term courses to start on September 3rd.  Regis University also quickly established an alternative website which was used to communicate information to the university community. At the time of the cyber attack, McCaffrey reports, the university had approximately 100 applications or services that were in regular use, with almost 200 services being supported in the library’s data center. All of these were brought down by the cyber attack. Five months later, it was learned that it was a ransomware attack, and the university paid the hackers. There is no evidence that the library’s data was compromised in the attack. Federal and third-party investigators were unable to determine the root cause of the attack, although it did originate from outside the United States. McCaffrey stated that their back-ups were attacked first. Regis University’s institutional continuity plans that were already in place were based on having those back-ups. Since those were compromised in the attack, it resulted in the university’s IT department making the decision to rebuild and update systems. As a result, the road to recovery for Regis University was a long one.

Romel Espinel spoke next of his cyber attack experience. Like McCaffrey’s, the cyber attack occurred in the month of August, but happened a year prior, in 2018. Seventy-five campus members received a ransom message upon logging into the Stevens Institute of Technology’s network. As a result, IT shut everything down, and classes were about to start in three weeks. No printing, scanning, or accessing the institute’s computers could be done. Employees had to work off of their smart phones and use their own data plans and Wi-Fi. Each of the institute’s computers had to be taken offline, cleared, and scanned for viruses. What was really a challenge, says Espinel, was not having computers or Wi-Fi to use on campus, so it was certainly taxing to find things to do during this time, such as making signs. He compared it to a blackout in that it took time, slowly, for operations to resume. The institute was able to get back online with its Wi-Fi in time for the start of the fall semester, but the lasting effects of the cyber attack continued to linger right up until the COVID-19 pandemic hit in March of 2020. Espinel joked that it was like jumping from one crisis to the next!

Lastly, Kristina Vela Bisbee relayed her cyber attack experience, which was really a unique experience. In May of 2019, hackers tried to access and alter military intelligence that was provided to Columbia University by the libraries. This was done by impersonating a Columbia student, and by using the library’s various channels for research support to gain access. The very channels which the library relied upon to make itself accessible to its users, such as virtual reference and email reference web forms, was what made it vulnerable to this cyber attack. The database which was compromised – which Vela Bisbee would not disclose – was prominently featured in the library guides and its publicly indexed website. She hinted that it was not your typical library vendor. It is an industry database which is very resourceful for expert faculty in international affairs and political science, but it would not prove to be very useful for your typical undergraduate student who is thinking of majoring in political science.

Someone claiming to be a Columbia University student was trying to access this particular database by contacting the vendor directly for assistance. In an email copied between Vela Bisbee, the vendor, and the “student,” Vela Bisbee learned that she was the primary contact for relations between this database in the university. In a separate email thread between just herself and the vendor, the vendor alerted Vela Bisbee that it believed that the hacker was spoofing the university’s IP address. At first, the hackers emailed Vela Bisbee directly. As she ignored their requests, the hackers began to email other librarians at Columbia University and drop her name to give leverage to the requests that they were making. Some of the requests Vela Bisbee was getting were for high resolution images of aircraft carriers or maps of military bases. In several instances, there were requests for the library to actually reach out to the vendor to change or alter information in this database, such as technical specifications for drones and surveillance devices being used in the Middle East. Despite this database not being used primarily for academics, Vela Bisbee says, “This resource was really a feather in the library’s hat. This was our way of showing that we are legitimate to our users. And it was also something that we had been using for a very long time without any issues, so this was something that kind of blindsided us.”

Over the course of two weeks, the library had about twenty different referrals from the same user through a variety of channels. The hackers were emailing individual librarians and librarians at different locations on campus and filling out online reference help forms. Most chilling to Vela Bisbee was the hackers’ usage of the library’s chat reference: “They were speaking to a librarian in real time and troubleshooting access. Because our library system is so decentralized, some of these attempts came pretty close to a security breach, especially when the hacker was speaking with students or staff who don’t normally work with patrons in this area and therefore may not have recognized the threat.” It was an abbreviated and intense amount of time in which the hackers were testing all the library’s defenses. It was also not just one student being impersonated; it was multiple, currently-affiliated students whom the hackers were impersonating. The cyber attack resulted in Columbia University canceling its subscription to that database. Vela Bisbee even contacted the FBI about this but has not heard back from them.

The emotional impacts of the cyber attacks were also widely felt throughout the libraries and their campuses. Vela Bisbee recalled feeling awe, embarrassment, and frustration at the ideal that her name was being evoked in the hackers’ correspondence and afterwards; she felt responsible. McCaffrey felt dismayed at not being able to serve the students the way the university should. Like Espinel, McCaffrey and her co-workers had to use their personal devices for a while, in which case some reached the limits on their personal data plans. Eventually, Chromebooks were purchased for the library; McCaffrey made sure that every department had access to these once wireless access had been restored on campus but before the employees all had their university computers returned. Espinel spoke of the four stages of emotional impact after a campus-wide cyber attack. The first stage is shock: shock that an attack of this nature can shut down normal, everyday, mundane operations such as calling a co-worker on their office telephone. Everything comes to a halt, and you can overlook that a cyber attack not only has huge repercussions, but smaller nuances as well. The second stage is uncertainty. When will things get back to normal? How are the powers that be resolving this issue? How can we be better protected from a cyber attack? When are we going to get our systems back and operational so we can provide services for the students to ensure their success? Frustration, and sometimes even anger, is the third stage. Why has this not been resolved? Were there emergency plans in place beforehand in case of an attack? Lastly, the fourth stage is continued uncertainty. It resonates for a very long time. Espinel said that it makes you think of how we can be ready for the next attack should it happen.

Is there a silver lining to this experience? Absolutely. Who could have predicted that just over the horizon, a pandemic was brewing that would disrupt basic day-to-day services globally and completely turn the academic world upside-down? The actions taken to effectively combat a campus-wide cyber attack, such as creating a communication chain (something as simple as having each other’s personal telephone numbers) and establishing electronic back-ups, can only have better prepared these institutions for handling the COVID-19 crisis.

No comments yet

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: