Unraveling SolarWinds hack’s fallout for higher ed
The full scope of the massive SolarWinds hack is still unclear, but the attack is already being described by cybersecurity experts as a “cyber Pearl Harbor.”
For months hackers have been poking around computer networks at U.S. government departments, Fortune 500 companies and possibly higher education institutions and research organizations — undetected.
What information may have been stolen and exactly whom it was stolen from is unclear. Information technology experts told Inside Higher Ed that investigations into the attack at the federal level could take many months to complete. But even before the impact of the attack on higher education institutions is known, college IT leaders can take steps to guard against future intrusions.
The U.S. Department of the Treasury and Departments of Homeland Security, State, Defense and Commerce were among the branches of government successfully targeted in the attack, according to multiple media reports.
The hackers, thought to be linked to Russian intelligence, created malware that was installed as part of a software update by customers of Texas-based company SolarWinds. The hack specifically affected a SolarWinds product called Orion, which is used by thousands of organizations to remotely manage their IT networks.
SolarWinds issued a statement last month suggesting that up to 18,000 of its 300,000 customers may have been affected. So far, no U.S. university has confirmed a breach. But that doesn’t necessarily mean higher ed institutions will be in the clear as more details emerge.
On a customer webpage from the SolarWinds website that has since been taken down, the company listed Harvard University, St. John’s University, Clemson University and the University of Alaska among its clients. None of these institutions report being significantly impacted by the attack.
A spokesperson at Harvard said that while the university does use some SolarWinds products, it does not use the affected platform. A St. John’s University spokesperson said the institution was aware of the incident and has determined it was not affected. A Clemson spokesperson said IT leaders at the institution were investigating the incident and to date had not identified any significant impact. The University of Alaska system office’s chief information technology officer said through a spokesperson that the university is a SolarWinds customer but not within the scope of those affected by the incident. Likewise, the chief information technology officer at the University of Alaska at Anchorage said that university is using a version of software that doesn’t appear to have been affected at this point.
A recent Wall Street Journal article said Kent State University may have been impacted by the hack. A Kent State spokesperson said those at the institution are “aware of the situation and are evaluating this serious matter.”
Kent State sent a notice to its faculty, staff and students in late December stressing there was no evidence at the time that hackers had successfully infiltrated the Kent State network.
On a lengthy Q&A section of its website addressing the hack, SolarWinds urged its customers to update their software and said it would continue to provide information as it becomes available.
What Can Colleges and Universities Do?
Institutions that use the Orion platform should follow guidance issued by the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency, said Brett Callow, threat analyst at cybersecurity solutions company Emsisoft.
“This is very much a case of waiting for the other shoe to drop. Or, possibly more accurately, shoes,” Callow said. “At this point, little information is publicly available. We don’t know who the attacker was, what their objectives were, or how successful they were in meeting those objectives. The only thing that is for sure at this point is that the incident has the potential to be very, very serious.”
In the meantime, IT leaders in higher ed should think about their procurement processes and ask potential vendors tough questions about their security practices, said Kim Milford, executive director of the Research and Education Networks Information Sharing and Analysis Center at Indiana University in Bloomington, known as REN-ISAC.
Brian Kelly, director of the cybersecurity program at the IT organization Educause, agreed.
Whether or not institutions were badly impacted, it is important to realize that hackers “make no distinction between civilian and military targets,” Kelly said. He recommended institutions have a completed Higher Education Community Vendor Assessment Toolkit, or HECVAT, on file for every vendor they use. A HECVAT is a kind of security checklist developed by Educause to aid the technology procurement process.
“Outside of specific mitigation actions for SolarWinds that the REN-ISAC is providing to our community, this is a great opportunity to assess your information security program, specifically how it addresses systems acquisition, development, maintenance and asset management,” Kelly said.
While it does not seem at this time that higher education institutions or sensitive research secrets were the target of this attack, it is possible that hackers may have scooped up so much information they do not yet realize what they have, Milford said.
“This is a great opportunity for our cybersecurity leaders to provide thought leadership and guidance to their campus communities,” Kelly said. “Additionally, they should be using this opportunity to engage with institutional leadership across campus to review plans and policies in anticipation of future supply chain attacks.”