York University Hacked: What We Know So Far

‘Serious Cyberattack’ Against Top Canadian University

A sign for York University. Source: CP24

What We Know
Last Friday, York University, one of Canada’s top Universities, was the victim of a “serious cyber attack that corrupted a number of University servers and workstations”, according to a security bulletin posted on May 4th. Up until Monday, there were little details about the incident, with the university posting two security bulletins but failing to email students and staff claiming that “distribution was delayed due to issues resulting from protecting our systems”. Instead of sending emails to all students, staff, and faculty, York relied on security bulletins posted on the Universities website.

Due to the delayed response, the York Federation of Students (YSF) “voiced concerns over what it says is a lack of communication in response to the hack” according to a Canadian Broadcasting Corporation (CBC) article dated May 4th. In that same article, CBC noted that the university had not stated whether or not personal information about students, faculty, or staff was stolen.

Perhaps in response to this criticism, in their most recent security bulletin dated May 5th, York University stated that “there is no indication that any personal and confidential information has been compromised, but we are still awaiting final confirmation”. They did note, however, that the entire York community, including students, staff, and faculty, will be required to change their password.

What was the ‘Serious Cyberattack’?
There is little information available right now about the nature of the cyberattack. As a result, all thoughts presented here are speculative and based on the wording of the university security bulletins and common trends affecting universities around the world. In my opinion, there are 2 possible explanations for this attack, with the first one being much more likely and much less dangerous to students, staff, and faculty:

1. York University was the victim of a Ransomware Attack: This scenario is very likely based on the wording of the security bulletins. According to the security bulletins, the cyberattack “corrupted a number of University servers and workstations” which sounds like the work of a Ransomware that was able to spread through their network, similar to WannaCry. However, there has been no indication from the University that this was Ransomware or that there was a ransom note left for them. This scenario is also likely based on the fact that no personal information appears to have been stolen, according to the University.
2. The corrupted servers and workstations were a diversion for a much larger attack: This scenario is much less likely, however still possible since we have not been presented with enough information yet and York is still in the early days of investigation. In many attacks in the past, malware that was designed to destroy and corrupt files has merely been the ‘smoking gun’ that investigators focus their attention on. However, the real attack involves stealing personal and confidential information while investigators are busy fixing the mess caused by this diversion. Once again, this scenario is far less likely than scenario 1 but should still be highlighted since we have not received enough information about the nature of the attack.

Attacks on Other Canadian Universities
York is not the only Canadian University to be hit with a cyber attack. Some other recent examples include:

• In June 2016, the University of Calgary was forced to pay a $20,000 ransom following a ransomware attack on their email system
• In August 2019, the University of Waterloo posted a security bulletin warning University employees about a “significant increase in the number of financial spear-phishing attempts directed at University employees”
• In February 2020, the University of Saskatchewan was hit with a Denial of Service (DoS) attack

Why are Universities Targeted?
Universities represent a possible goldmine to attackers: they contain vast amounts of personal and financial information about their students and in many cases are not as secure as other private businesses. Universities also contain valuable research data, which can lead to foreign governments attempting to hack Universities to steal their research. This actually happened in 2017 when Chinese attackers targeted over 27 institutions and researchers with “expertise in undersea technology” as part of a “coordinated cyber campaign”.

Due to the complex nature of University systems and the diverse range of faculties, it is hard to comprehend the surface area of potential attacks, much less react to them in real-time. One of the hardest things for security personnel to protect is research data since it is so closely held that in many cases this personnel have “little to no visibility” into these projects.

What can be done?
As a student, if your University gets attacked and you are worried that your information may have been stolen, it’s important to make sure that you are following good security practices. In all cases, the University is required to inform students of any possible data leak. Universities are aware of the amount of sensitive information that they hold, and as a result, there has been a concentrated effort in Canada to increase security.

In 2018, 40 Canadian Universities teamed up to create a cybersecurity benchmarking project “designed to find and promote the best security practices of universities across the country”. The point of this program was to find the best security practices across the different Universities and hopefully push others to improve their own security practices. As a result of this project, several Universities have:

1. Moved more services behind firewalls
2. Improved scanning of their networks for vulnerabilities and configuration problems
3. Implemented better desktop management
4. Improved anti-spoofing features of their email systems
5. Started work on security automation

While these are all positive signs moving forward for Canada and its top Universities, it’s important to remember that attacks will happen, and having a good response plan can save you from losing all of your data. In the case of York, their quick response appears to have limited the spread of the attack in their systems, with the security bulletins stating that they “significantly reduced the potential damage [that] this cyber attack would have caused”. However, York failed to adequately inform their students of what was going on until Monday, which could have had big consequences if student personal information was stolen.