Yesterday, I was drawn into a controversy over an SNSI webinar. After the webinar, there was a bad-faith effort to distort the words of a university cybersecurity person in order to foment a conspiracy theory about publishers seeking to install spyware on university systems. It was bogus, but raised the issue of network security overall, with all the attendant complexities, including Sci-Hub, ransomware, and hospital systems.
This year more than any other, universities have been bilked for millions of dollars by ransomware. But network security does not stop at privacy or finances — in September, a ransomware attack at the University Hospital Düsseldorf crashed systems, forcing the hospital to turn away emergency department patients. As a result, a woman with life-threatening conditions had to be sent to a hospital 20 miles away. She died due to the resulting treatment delays, according to German authorities.
As with many other shady things online, much of the ransomware targeting universities has a Russian connection, with the most well-known ransomware — NetWalker — having been created by a Russian-speaking group of hackers. It was discovered in September 2019, but an internal timestamp puts its origin at August 2019. It’s been associated with attacks on Michigan State University, University of California-San Francisco, Columbia College in Chicago, and the Champaign-Urbana Public Health District (which services 210,000 people, including the University of Illinois) documented. UCSF had to pay more than $1 million in ransom. Other universities, refusing to pay ransoms, have had to conduct complete system wipes and rebuilds, an expensive and time-consuming process in and of itself.
In 2018, a group called SecurityScorecard analyzed nearly 2,400 companies with a footprint of 100 or more IP addresses in the education industry. Compared to all other major industries, they found that the education industry performed last in terms of cybersecurity performance, performing poorly in patching cadence, application security, and network security.
Other institutions experiencing ransomware attacks over the past few years include University College London, the University of Utah, Newcastle University, Simon Fraser University, Maastricht University, University of York, University of Calgary, a host of other UK universities (Oxford Brookes, Loughborough, Leeds, London, Reading, Exeter and University College, Oxford), the Rhode Island School of Design, Ambrose University, and Boston University. One in four UK universities acknowledge having been subject to a ransomware attack.
The NetWalker group is so successful that it is moving to a ransomware-as-a-service (RaaS) model, as they get a share of any ransoms paid. It’s franchised computer crime.
With Covid-19, Russian and North Korean hackers have been targeting medical research, with Microsoft disclosing last week that seven companies involved in the trials of new vaccines are being actively targeted. Of course, academic researchers affiliated with these trials may also be targets. Russia started its attempts in the early summer (via the notorious Cozy Bear group), and may have absconded with critical information they’ve used to put their own vaccine into the field.
It’s impossible right now to draw a straight line between Sci-Hub’s incursions and the current wave of ransomware and other network incursions into university systems. They may be unrelated, or we may learn that they share more than just a temporal connection. NetWalker works partly by phishing network logins from users, much as Sci-Hub has done in the past, and the plausibility of Sci-Hub being affiliated with Russian organized crime has only grown over time. Whatever you may think, it’s clear that allowing Sci-Hub to traverse university computer networks doesn’t improve network security, and as part of an industry running dead last in security, that can’t be acceptable.
This is why the past week’s forced and bad faith naïveté around the SNSI webinar specifically — and, more generally, university network security issues and publishers as good faith partners in these efforts — hit me so wrong. Safety is an emerging expectation for everyone, and computer networks are a significant part of that, even moreso now that we’re mostly virtual for the next many months.
It’s going to take concerted efforts to improve the situation, including becoming comfortable with arming the combined network security forces — consisting of universities, publishers, vendors, and experts — with the tools they need to stop and catch criminals.
The third iteration of the professional and job impacts survey is now open. If you haven’t responded yet, there is still time. Just click below, and thanks: