'Security Concerns' Caused Three-Day Internet Outage at the University of Michigan Last Week

On August 30th the University of Michigan announced it had finally restored its internet connectivity and Wi-Fi network, according to the Ann Arbor News, "after several days of outages caused by a 'significant security concern,' officials said." The outage coincided with the first days of the new school year, although "classes continued through the outage." The internet was shut down on 1:45 p.m. on Sunday, Aug. 27, after the Information Assurance team at the university identified a security concern, according to previous reporting. The Information Assurance team fights cybersecurity threats and malicious actors... The investigation into the security issue is ongoing and no other information will be released, said Santa Ono, president of University of Michigan.
But a local CBS station heard some theories from cybersecurity experts: "The fact that they took their systems down, like proactively took their systems down, is the indication that it is a cybersecurity incident," said co-founder and CTO of SensCy Dave Kelly. "The reason why you do that is that you don't want it to spread further."

"They probably didn't know to what extent they'd been compromised," senior penetration tester and ethical hacker at NetWorks Group Chris Neuwirth said. "They probably didn't know how many accounts were compromised or the initial entry point that the threat actor used to gain access into the network." Sources close to the investigation told CBS News Detroit that U-M detected malware on its Wi-Fi network and decided to shut it down in response.

So, did the school avoid a disaster? Neuwirth thinks it very well could have. "They likely had very robust backups and data recover, plans, procedures in place that helped them make the decision very confidently and rapidly," he said. "Four days in that they're already bringing up their systems tells me that it's likely that a lot of what they had been preparing for worked."

Kelly said these types of incidents are on the rise. "There's been a large increase in cybersecurity incidents," he said. It's been trending up, quite frankly, for the last several years. It used to be that these threat actors were targeting the government and Fortune 500 companies, but they've started to, more and more over the years, look at universities."
Thanks to long-time Slashdot reader regoli for sharing the news.

It was all over the midwest US

[hdyoung]

I don't know the details, but I heard that a big midwest ISP (that provided internet to a whole bunch of universities) got attacked. Tons of universities in the region lost internet for several days.

Probably Compromised Systems

[lsllll]

Sources close to the investigation told CBS News Detroit that U-M detected malware on its Wi-Fi network and decided to shut it down in response.

That doesn't make sense. Maybe malware on computers connected to the WiFi? That HAS to be an ordinary day. My guess is that they detected suspicious outbound traffic from a few computers/servers and shut down the internet connection in response, then took several days to determine what had actually happened and restore servers to a known previous state or remove the malware and close the hack points. We may end up hearing what happened through a breach disclosure in the next couple of weeks.

Re:

[OrangeTide]

Unplugging everything is not a bad tactic against an worm. If you have some plan in place to patch unaffected systems before plugging everything back in.

Re:

[alw53]

My employer was calling it a "network outage" for two weeks before they finally admitted it was ransomware. I actually read about the attack online before the president and cto fessed up to us employees.

Re:

[alw53]

Then because employee data had been compromised they offered two years of Equifax monitoring lol.

Re:Probably Compromised Systems

[quetwo]

I have some inside knowledge on this one. The PR folks who were talking to the media and doing these releases keep confusing "WiFi" with "the network" and just about anything else techie.

The University of Michigan took down their core network in order to isolate the security incident. The most popular theory of the security incident is correct. In this case, it was targeting specific research data that is highly controlled. Additionally, there were some internal attacks going on the network that didn't seem targeted but was most likely used to distract the security teams from the actual target. Taking down the core network and essentially "unplugging" from the network was only way to disconnect the bad actors and make sure all systems were healthy before they could reconnect. And given how large and complex their network is, that takes a LONG time to audit and evaluate every system to make sure others weren't compromised.

The WiFi was just ancillary damage. It wasn't the core issue. Just constant bad reporting.

Re:

[mcslappy]

As someone that also has inside information: I'll simply state that the decision wasn't made lightly, law enforcement was involved, and the incident has lead to multiple changes in restricting firewall policy.

Just remember guys...

[sconeu]

It's not question of IF you're going to get hacked, it's a question of WHEN.

Re:

[david.emery]

What we need to do is define and then design/code/train to 'acceptable risk'. For commercial avionics, the goal is the residual risk for an aircraft loss from software is 10 ^ -9.

The problem we have now is the likelihood of a security failure looks to be something like 10 ^ -4

The perspective of "all software has bugs" and "you will be hacked" relieves developers and managers of the responsibility to prevent that as much as possible.

Ask Boeing what their 737 MAX failures cost them. Now ask yourself, "How w

That's how you do it.

[ledow]

First thing I did at a former employer when we were showing signs of compromise. Came in on a Sunday specifically to just turn everything off as soon as possible.

All servers off, all power out, every single desktop and laptop in the building collected and put into a locked room.

Had the boss's backing throughout - he even helped collect the machines from across the site and make sure we'd got every device.

Then we started the servers back up extremely carefully from absolutely blank drives, and re-imaged eve

Re:

[Bongo]

I for one say, thank you!

I wonder if anyone has ever done a study of how much of the world works because of unknown and selfless people making the effort in the face of resistance to do the right thing.

VPN still down for some

[DavidUM1996]

The VPN through which alumni and retirees access AFS (Andrew File System) is still down. "Anticipated End Time: Unknown". (https://status.its.umich.edu/report.php?id=157177) That's a lot of people potentially still locked out of their files.

Vectors of attack

[Hugedatabase]

Universities are the perfect target.

Re: Vectors of attack

[Hugedatabase]

It would be so easy to social engineer a student.

Study

[richardwhite333]

When the lights were turned off at my university, everyone was happy. We didn't go to school. I only had to pay for homework, I used https://edubirdie.com/pay-for-... [edubirdie.com] for this. Because I also skipped online classes. As a result, I didn’t understand how to do the homework that was assigned to me.