A newly released audit shows that the University of Kentucky was “perilously close” to a system-wide shutdown as a result of what may have been the most significant cyberattack on the university.
The 46-page audit explains that the cyberattack, which was targeted towards UK HealthCare systems, installed malware on university servers in order to mine cryptocurrency like Bitcoin.
The hackers’ focus on UKHC systems prevented a far worse leak; according to the audit, there was no evidence that protected health information was compromised, though a consultant said this was possible.
“Had the threat actors gotten further into UK’s Active Directory, there would have been little to stop them from taking over the university’s systems, locking them down and demanding a ransom,” the audit states. Instead, the impacted systems were limited to computers of IT, executives and physicians in UKHC and UKHC’s servers for patient care and business operations, according to a graphic of the incident’s progression in the audit.
UK spokesperson Jay Blanton said the university is working to improve their cybersecurity measures.
“The work of cyber security never stops. It is an ongoing process,” said Blanton. “The work of a number of individuals across our campus stopped this attempted breach last year.”
According to the audit, they cyberattack may have begun as early as December 2019 and had thousands of endpoints (devices like computers) at the university.
The first confirmed evidence of the hack, conducted by attackers outside the U.S. border, was found in January 2020 in an app used by UKHC pharmacies. The audit reports three missed opportunities before then.
UK made multiple reports to Microsoft for assistance. On Jan. 29, UK made a report but told Microsoft “their assistance was not needed.” On Feb. 4, UKHC faced a six-hour shutdown but retracted their work order before Microsoft could engage. As of Feb. 23, there were 700,000 instances of malware in UK’s domain.
UK ended the attack on March 8 by completely shutting down and rebooting the entire system by “severing Internet access to, in effect, kick the attackers out and further secure the system against anyone who tried to re-enter.” The outage lasted three hours.
“In this instance, the University of Kentucky was indeed fortunate. This time,” the audit stated, citing a 2020 ransom attack on a healthy system that cost tens of millions and affected patient care. But UK could still be vulnerable to cyberattacks if they do not improve their security management, the audit warned in multiple sections.
The university spent $5 million to cut off the attack, including costs for consultants and revenue losses from compromised computers. $4 million went to direct measures for mitigating the attack and $1 million in associated employee time. Consultants contributed to the $5 million expenses, including nearly $15,000 for food and travel.
Crowdstrike and Microsoft were both engaged as vendors to assess UK’s cybersecurity weaknesses, which the audit said it was “imperative” to address.
Because UK HealthCare’s infrastructure resides within the university’s larger umbrella, the consultants recommended adjusting overall operational procedures.
“This incident was a result of systems that are operated independently yet are not truly separate and governed by distinct entities that have not communicated optimally to protect the entire enterprise from cybersecurity threats,” the audit states.
Additionally, university conducted reviews have noted 70 vulnerabilities related to information security since 2013, including “improperly configured domain administrator accounts to poor provisioning and deprovisioning practices and insufficient patch management processes, each of which are significant alone.”
Unnecessary administrative accounts were used by the threat actors in the attack, a vulnerability pointed out 18 months prior that “exponentially increased the incident’s reach, severity, and impact.”
Administrative accounts can “change ownership of relevant documents or folders and either restrict access, copy or transfer data without other authority, or tamper with protected security policies” and thus should be limited only to those who have to maintain the system, the audit stated. Furthermore, the university had no procedure for deactivating old accounts.
Thousands of endpoints were running operating systems as many as six years past “end of life,” which meant they could not support current security software.
Though UK has made “marked progress” since the attack, UK’s cybersecurity is still lacking. Five months after the attack, UK’s IT system was rate as “critical risk” in four out of five risk categories.
“The university has critical, unmitigated risks and, as a result, does not maintain a strong information security posture,” the audit said.
Following the attack, UK will implement a number of measures to correct potential weak areas pointed out by the audit. Among them are the development a “quarantine network,” a better patch management system and decreasing the number of administrative accounts, the last of which was a key weakness pointed out by the audit.
“While there are pockets of very good work being done, there is an underlying ad hoc approach that cannot sustain effective and efficient operations,” the audit stated in calling for a comprehensive overview to cybersecurity.
One of the main findings of the audit was that UK’s distinct IT services for its branches (UKHC IT for healthcare, ITS for campus) is a vulnerability because it reduces reaction time and creates two workflows.
“Disparate organization contributes to the lack of consensus over strategy and prevents the ability to adequately address enterprise-wide risks,” the audit stated. “This organizational structure was a contributing factor to the incident and continues to exacerbate these vulnerabilities.”
To correct that, UK will appoint a single chief information security officer. The audit also recommended that UK create a formal cyberattack response plan, since “even the existing security staff do not agree on many aspects of how things are done or how things should be done.”
The audit includes “action plans” with milestone dates for multiple areas of information security management to amend operations by.
As the audit notes, UK had a fortunate escape to this cyberattack.
“It really isn’t clear how UK hasn’t experienced a major security incident to this point, and how they would handle a major security breach if it did occur,” the audit stated.
The audit concluded by preparation is key in limiting the fallout of protected information because universities will continue to be subject to cyberattacks.
“The only question really is whether it will be a “big one” or a “small one,” and how much damage it will cause and residual effect it will have.”