Cyberattacks as a business: California homeland security assessing ransomware attack on Sierra College, report says
California’s homeland security agency is assessing a ransomware attack that crippled Sierra College’s online services last month, and has identified the specific type of ransomware attack suffered by the college, according to a report obtained by The Union.
The report, released by California’s Cybersecurity Integration Center, an agency affiliated with the state’s Homeland Security Division, states that the college was the target of a “PYSA” ransomware attack — a type of attack that is increasingly being used to target universities and educational institutions throughout the United States, according to the FBI.
While Sierra College is not named specifically in the CCIC’s report, multiple faculty members at the school have identified the report as referring to Sierra College, after it was first shared in a private faculty Facebook group. Additionally, the agency’s report states the attack happened May 19 — the day of the ransomware breach on Sierra College.
“PYSA,” which stands for “Protect Your System Amigo,” is a type of attack where a criminal ransomware enterprise rents out their method of cyberattack to an affiliate group of hackers, who then can target a specific entity, such as a college or business, according to Professor Peter Reiher, a cybersecurity expert at the University of California, Los Angeles.
This method of ransomware breaching is growing in popularity among hackers, and is popularly known as “ransomware as a service,” Reiher said.
“This is an example of how cyberattacks are now a business, with products and services offered to those who wish to be in the business by more capable software developers,” the professor explained.
As a result of the attack, Sierra College temporarily lost access to Canvas, its learning management system which facilitates assignment submissions and grading, as well as communication between faculty and students. The college’s main website, http://www.sierracollege.edu, was also disabled, as was the college’s payroll system, according to Joan Merriam, a communications professor at Sierra College.
Those systems have since been restored for the most part, Merriam said, and a statement released last Friday by the college said that “most services are back online, and registration is open for summer and fall semesters.”
While these systems have largely recovered, the college has declined to comment on what data the ransomware attackers had access to, leaving students and faculty wondering if their own personal information may have also been compromised, Merriam said.
“They absolutely have not been transparent about what data has been compromised,” she added. “They’ve been trying to keep us updated in terms of we’ll be OK by next week or whatever, but they haven’t even whispered a word about personal information.”
Sierra College is wrapping up Phase 1 of its plan to rebound from May’s incident, with the school’s IT team working with an unnamed third-party cybersecurity firm to reboot critical systems and gather data assessing the attack, Merriam said. Phase 2 of the recovery effort, which appears to be underway, will focus on revamping the school’s desktop computers, which were taken offline by the attack, she added.
Sierra College was contacted multiple times for comment on the CCIC’s report, as well as to inquiries about what measures the college would be implementing to prevent repeat PYSA/ransomware attacks. College officials declined to comment on any aspects of the incident, citing the need to protect the confidentiality of their ongoing investigation of the attack.
PYSA is becoming an increasingly popular method of cyberattack used by criminal groups against colleges, as it requires little technical expertise on the part of the hackers and exploits weaknesses common among most college networks, Reiher said.
“Colleges and universities tend to be soft targets,” he said. “First, they have lots of people who connect to them. Many of them are students, over whom the institution has less control than over staff or faculty. Second, higher education institutions have a tradition of openness, more so than companies or government agencies. That tends to lead to weaker controls over what happens on their machines and networks.”
The groups behind PYSA attacks tend to be located in countries with poor diplomatic relationships with the United States, thus insulating them from prosecution, according to Robert Osgood, a retired FBI agent who is currently a professor at George Mason University. The most common countries of origin for PYSA attacks are Russia, China, North Korea, Iran, and a few Eastern European states, Osgood said.
Osgood and Reiher both said that a major advantage of PYSA attacks is that groups that lack the computer science knowledge required to conduct a sophisticated ransomware breach can work with cybercriminals who have developed a generic system of attack.
“It’s a matter of simplicity for the attacker,” Reiher said. “PYSA is a service, so an attacker need not have much in the way of technical expertise themselves. They mostly just pay to use it and get the service. That’s a lot easier than figuring out how to handle the encryption and other aspects of the attack oneself.”
Sierra College has declined to comment on how the security breach that allowed for the ransomware attack may have occurred. However, it only takes one person clicking on a phishing email sent by the cybercriminals to give the group the foothold they need to then “tunnel” from one part of the college network to other systems, according to Osgood.
For instance, a hacker with access to the school’s learning management system could subsequently gain access to the college’s registrar system or the system used to confer degrees on graduating students, Osgood said. This scenario can be prevented if the college is prepared, he added, the most important step being to properly “segment” the school’s critical systems to prevent a hacker from tunneling from one system to another.
Institutions such as Sierra College also need to do more to educate students and staff on how to identify phishing scams, so as to prevent cybercriminals from gaining an initial foothold in the system, Osgood and Reiher both said.
Both experts’ recommendations are echoed in the CCIC’s report, which advises Sierra College officials to implement means of “network segmentation” to help isolate security breaches, rather than allowing the breach to potentially compromise all systems. The report further recommends that Sierra College should “conduct regular phishing training and testing among all levels of staff,” so as to minimize incidents where students and staff download malicious files sent from ransomware criminals.
The California Cybersecurity Integration Center could not be reached for comment on its investigation of the ransomware attack.
Stephen Wyer is a staff writer with The Union. He can be reached at email@example.com
Support Local Journalism
Support Local Journalism
Readers around Grass Valley and Nevada County make The Union’s work possible. Your financial contribution supports our efforts to deliver quality, locally relevant journalism.
Now more than ever, your support is critical to help us keep our community informed about the evolving coronavirus pandemic and the impact it is having locally. Every contribution, however large or small, will make a difference.
Your donation will help us continue to cover COVID-19 and our other vital local news.
Start a dialogue, stay on topic and be civil.
If you don't follow the rules, your comment may be deleted.
User Legend: Moderator Trusted User