Just in Time for Fall Term, a Cyberattack Forces an Entire College’s Systems Offline

A debilitating malware attack has forced a college known for “powerhouse” cybersecurity programs to shut down all its systems, just as it prepares for the fall semester.

On August 8 the Stevens Institute of Technology noticed “system-access issues” and alerted users to what it later called a “very severe and sophisticated” cyberattack. The college disabled its systems and networks as a precaution, it said, apparently disrupting a swath of tasks needed to run the college: email, payroll, tuition payments, class scheduling, summer course assignments, its virtual private network, and more.

Stevens pushed back its deadline for tuition payments twice. It told student employees they had another week to clock their hours. It extended the summer term to August 25.

The college, a private research institution of about 7,000 graduate and undergraduate students in Hoboken, N.J., has said in updates on its website this week that it is making “very good progress.” Technicians have recently cleared more than 300 users for “critical” systems, the college said, and it expects to restore email this weekend.

A spokeswoman told The Chronicle that the college was still investigating, but it believes that the attack is “now contained” and has found no evidence that personal data have been exploited.

Experts warn that cyberattacks are a mounting threat to colleges, whose defenses lag behind. Last month the Education Department said hackers had reportedly targeted at least 62 colleges to create hundreds of fake accounts and potentially retrieve student records. (The department later said it had “not found any instances” of exploitation.) In March, The Wall Street Journal reported that Chinese hackers had targeted several prominent colleges in the United States to steal research for military use.

Stevens itself noted that it was “not alone in experiencing sophisticated malware attacks, which have been escalating in frequency and intensity worldwide.”

Colleges are racing to train enough experts in the field to stop those and other cyberattacks, which have threatened the country’s biggest companies, banks, and the U.S. government. Stevens, a member of the National Centers of Academic Excellence in Cyber Defense, a program run by the National Security Agency and the Department of Homeland Security, has previously billed itself as a leader in that effort.

Openness as Vulnerability

While it may be tempting to view that status as ironic in light of the hack, a college’s cybersecurity programs usually have “nothing to do with the operational security of the university IT system,” said Jonathan Katz, a professor of computer science at the University of Maryland at College Park and the director of the Maryland Cybersecurity Center.

Stevens declined to specify details of the attack, citing “the ongoing forensic as well as law-enforcement investigation into the incident.”

“We look forward to welcoming all students to campus in the coming days,” the college said in an emailed statement. “Activities for new and returning student move-in and new-student orientation are proceeding as planned, and all students will have their schedules before their classes start.”

Since Wednesday the college has offered more details about its next steps and urged community members to reset their passwords and back up data.

The use of file-sharing systems like Google Drive and Dropbox “could be affected,” but the college expects to restore that soon. Data in other cloud-storage systems, such as Workday and Canvas, do not appear to be at risk, the college said.

The attack appears to have targeted Windows systems. The college said mobile phones and Apple computers do not seem to have been threatened, though Windows tablets could have been.

Late Thursday night, the college said users could expect to hear by Friday or Saturday about how to get back onto email, Canvas, and Workday.

“Colleges and universities have some challenges that maybe don’t exist as much in the corporate world,” Katz said. “Generally speaking, they like to be very open.” Nor do they usually have the sheer resources of an Equifax or a Capital One — two American companies that have been hit by major data breaches in recent years.

But they should still follow best practices for cyberdefense, including two-factor authentication and regular updates of software, Katz said. They should also train users to resist “social engineering” attacks, like phishing attempts, that prey on human error.

Colleges may not view themselves as money pots for hackers, compared with other organizations, said Carl E. Landwehr, a research scientist at George Washington University’s Cyber Security and Privacy Research Institute. But they’re confronting their own susceptibility as targets rich with sensitive research and personal information.

The motives of Stevens’s hackers remain unclear. But colleges generally can offer “a source of ideas,” Landwehr said, “and I think they have to become more aware of that.”

Follow Steven Johnson on Twitter at @stetyjohn, or email him at steve.johnson@chronicle.com.