Louisiana colleges restoring systems after state police find ‘indicators of compromise’

Several colleges and universities in Louisiana are restoring their networks after the Louisiana State Police said it found evidence that their systems had been compromised.

The University of New Orleans, the LSU Agricultural Center, Nunez Community College, River Parishes Community College and Southern University at Shreveport all took down their networks on Friday, removing internet access for thousands of students and professors.

Lt. Melissa Matey of the Louisiana State Police told The Record that the universities made the move after the Louisiana State Police Cyber Crime Unit “found potential indicators of compromise within the networks.”

“The restorative activities include removing capabilities from potential threat actors and operationalizing state-of-the-art security tools, including hardware and software. Forensic and investigative efforts are continuing with Louisiana State Police Cyber Crime Unit,” Matey said.

School responses and shutdowns

The University of New Orleans – which serves about 7,000 students – was one of the first to notify the public about the issues, writing on Twitter Friday night that they, alongside the other four schools, proactively took down their campus internet systems in light of concerns about a cyberattack.

“We are working closely with the Governor's Office of Homeland Security and Emergency Preparedness, as well as the Louisiana State Police, to address the potential threat,” the school said in a statement.

The University has detected an indicator of compromise, prompting us to proactively bring down our campus internet system to operationalize security features. A total of five colleges and universities are conducting similar activities: UNO, LSU Agricultural Center, Nunez (Cont.) pic.twitter.com/Z9RO30ANZp

— University of New Orleans (@UofNO) March 24, 2023

“As a result, the following network systems on UNO's campus that will be impacted include: campus internet, Wi-Fi, UNO email, Moodle, Workday, and PeopleSoft. The systems will be brought back online as soon as possible.”

River Parishes Community College Chancellor Quintin Taylor told The Record that a “comprehensive” review of the school’s network revealed that there was a “cyber risk that needed immediate attention.”

“Working closely with the Governor’s Office of Homeland Security and Emergency Preparedness as well as Louisiana State Police, we took the RPCC network down Friday afternoon and have been working on rebuilding the affected components in the network and strengthening the network posture to provide greater security moving forward,” Taylor said.

“Our network is up, and the college is fully operational. It is also important to note that our student information systems are hosted off site and were not impacted by this exercise.”

Southern University at Shreveport and Nunez Community College both posted messages on their websites or social media channels acknowledging the incidents. Nunez Community College said on its website that it will “work and offer classes remotely Monday, March 27th,” anticipating a return to normal operations on Tuesday.

On Sunday, both the University of New Orleans and Southern University at Shreveport said network services were slowly being restored.

The LSU Agricultural Center did not post any statements about the issue and did not respond to requests for comment.

Sunday’s statement from the University of New Orleans said officials were able to “negate” the cybersecurity threat and were restoring services with the help of Louisiana state officials.

While campus email, Zoom and some campus Wi-Fi systems were restored by Monday morning, several other services were not back to normal. But classes were proceeding as scheduled and professors were urged to be lenient toward students in light of the internet access issues.

“Law enforcement continues to investigate this matter, and we are taking steps to determine if any data was compromised. If your personal data was involved, you will be notified in accordance with applicable law as quickly as possible,” the University of New Orleans explained.

“Your notice will include more information about restorative and protective resources that will be made available to you at no charge.”

Southern University at Shreveport released a similar statement but said guest Wi-Fi and other applications were still down due to the incident.

All classes at the school will be held virtually until further notice, the school said on Facebook.

None of the schools involved responded to requests for comment about whether it was a ransomware attack.

Time-to-ransom

The incident comes three weeks after Southeastern Louisiana University similarly shut down its network in light of a cyberattack. In February, Xavier University of Louisiana said a November 22 cyberattack caused a data breach that involved the social security numbers and more personal information from more than 44,000 students and vendors.

2023 has already seen dozens of cyberattacks on universities and community colleges across the country.

Emsisoft ransomware expert Brett Callow said at least 14 colleges or universities have already reported being hit with ransomware or cyberattacks in 2023 – with several others denying they were targeted after being added to the list of victims posted by ransomware gangs.

Lansing Community College canceled classes last week due to a cyberattack and earlier this month, Northern Essex Community College confirmed a cyberattack. Bristol Community College and several others have also reported incidents.

Of the 14 confirmed attacks, data was exfiltrated in 11 of them, Callow told The Record. While little is known about the indicators of compromise found in the most recent incident, Callow explained that the schools’ quick recovery was evidence that cybersecurity experts were able to stop any potential damage before it was too late.

“The time-to-ransom represents a window of opportunity during which threats can be detected and mitigated before becoming massively disruptive and massively costly encryption events. This is why CISA’s Pre-Ransomware Notification Initiative is so important,” Callow said, referring to a recently announced government program that warns critical infrastructure operators of potential intrusions.

“It’s already helped multiple organizations – including organizations in the education sector – identify intrusions before either exfiltration or encryption took place. It’s also why tools such as endpoint detection and response are critical. Organizations should work on the assumption that their perimeters will be breached and monitor their environments for indicators of compromise.”