Update on Summer Cyber Security Event

09/09/2021
By Steve O’Riordan

I am writing to update you on the events that resulted in our campus closure in June. The cause was an attempted cyber-attack that set out to encrypt university data for the purpose of seeking a ransom payment. This attack was unsuccessful and thwarted by our Information Technology department. Here are the details of what occurred:

On June 14, IT began tracking suspicious activity on the UMass Lowell network. When it was determined that unauthorized access was taking place, UMass Lowell’s internet connectivity to and from campus was proactively disabled by IT. Though necessary to safeguard the university’s systems and data, we recognize this was a terrible disruption to campus operations and communications. On campus and online classes were impacted, as was our ability to effectively communicate to the UMass Lowell community.

Immediately after the intrusion was identified, an information security forensic firm was engaged to assist IT and investigate the extent of the intrusion. UMass Lowell’s Emergency Operations Center began holding morning and afternoon meetings to address the disruption in operations. Our IT team was focused on restoring services as quickly as possible and preventing subsequent attacks. This process involved tightening network firewall rules, patching vulnerable systems, and the changing of every password. A new, more secure VPN service was also deployed, and multi-factor authentication was enabled on all Internet-facing business-critical applications.

Throughout the cyber event, university attorneys provided legal advice to UMass Lowell relating to privacy laws and communication protocols. UMass Lowell notified its students, faculty and staff by text message and email concerning the response to the incident on June 17, 2021.

The recently completed investigation concluded that:

• Foreign threat actors gained initial access to UMass Lowell’s network via compromised user credentials.
• Systems that store or transmit financial information were not affected during the event.
• Files within the university’s network were not encrypted, accessed or acquired by unauthorized individuals.
• This was an unsuccessful ransomware incident.
• There is no evidence that students’ personal or financial aid information was subject to unauthorized access or acquisition.
• Although a system file with usernames and passwords for university users was accessed, all passwords were reset immediately.

The investigation has concluded. The extent of the impact to the university’s students was an interruption to network connectivity and the cancellation of classes while the network was reviewed and the system’s security was confirmed.

While disruptive during that period of time, we are very fortunate with this outcome especially when considering the recent increase in ransom-based attacks that have had significant impacts on higher education institutions. I thank the Information Technology department for all their efforts. Due to the staff’s prudent and decisive action of shutting down the UML network, the threat actors were disrupted from completing a likely ransom activity that may have had a lasting impact on our campus. I also thank the many members of our campus community who worked with us to mitigate the disruption and return the campus to full operations. Special thanks to the EOC, GPS, Registrar, Solution Center, University Relations and Web Services teams, to name only a few.

This attack highlights the need for us to stay vigilant with our information security practices. In consultation with the campus, IT will continue to improve our security posture to ensure the safety and integrity of our student and employee data. Additionally, the campus will continue to review action plans to strengthen the security and resiliency of academic, research and business operations in the future.