The week of July 19, Information Technology staff at Richmond Community College noticed some odd activity in their systems. But they weren’t overly concerned. College President Dale McInnis said people attempted to get access to their systems all the time, poking for weaknesses, trying to mine data, or do something else malicious. His team fought off things like that all the time.
On Friday, the staff saw some concerning activity in an IP address that was trying to communicate elsewhere. McInnis said his team “followed the textbook, responded appropriately.”
Unbeknownst to them, however, something called a trick bot had been installed in the college’s system. McInnis and his staff aren’t really sure how it got there. Maybe someone opened an infected email at some point. They were never able to trace the origin.
But the trick bot was, well, trickier than the usual attacks. Inside it was a virus, and when IT staff did exactly what they were supposed to do — follow the textbook — the trick bot reacted.
“It activated. And when it activated, it locked up and encrypted our Windows-based servers,” McInnis said.
Online services went down. Telephones stopped working. Printing was an issue. Payroll went from taking an hour and a half to taking about 14 and a half hours, McInnis said. But one of the biggest problems was that the cyber attack was going to prevent students from paying and registering for class.
At the time, the college was between semesters. Summer was over, and fall was on its way. But this was also prime time for students to register.
“We scrambled around that night trying to figure out who to talk to,” McInnis said.
In fact, that’s one of the most important lessons he took from all this: Colleges need to know who to talk to when something like this happens. He called the Community College System office, the State Bureau of Investigation and the local police, among others.
Saturday and Sunday, the system office came down and started helping out. McInnis was on site the whole time. On Sunday, the FBI came in and started an investigation of the cyber attack.
McInnis said he had thought his college was in a fairly secure position from a technical perspective. But nothing like this had ever happened, and they weren’t prepared. He worries others won’t be either.
“If this can happen at our college…it could happen to a lot of other places as well,” he said.
For the next four weeks, the college started trying to recover its systems. All the servers had to be rebuilt. Fortunately, student and employee data were on a different server and were unaffected. The college had already made the transition to Office 365, which is cloud-based, so email was still working. The college had also begun a transition to Microsoft OneDrive, which stores data online, but the transition wasn’t complete.
It was all hands on deck. In addition to the system office, police, the FBI and the SBI, the National Guard actually helped as well.
“It was a real team effort at the state level, because this was unprecedented,” McInnis said.
With the fall semester rapidly approaching, the college staff had to get creative. They began registering people with paper, the way it was done more than a decade ago. They rigged up phones for receptionists in key positions, so that people could get in touch with the college. Meanwhile, everyone else was mostly using cell phones for email, communications, and even computing.
Recovery was a long process, but the fall semester got underway and without obvious impacts to enrollment. The enrollment figures are essentially flat, meaning the school didn’t lose students. Of course, there is no way to know if enrollment would have been better without the cyber attack.
“This day and time, having flat enrollment from one year to the next is a bad thing,” McInnis said.
The college has instituted some new procedures to prevent a future attack. The National Guard told staff at the school that they had to get rid of jump drives, so those are out.
The college is also going to have some extra costs to deal with the aftermath of the attack. It needs to get consulting services to assess IT structure and security. It will have to look at how to continue business operations better in the event of any major future disruption. And at some point, the state will likely have to help with the cost, especially if community colleges around the state want to get secure from this type of incident.
“What we dealt with has exposed and concerned a lot of folks,” he said. “We were fortunate that we had a system office with some skilled, talented and committed people who could help us.”
It’s only in the last couple of weeks that the college has gotten fully up and running to where it was before. And McInnis still has no idea who launched the cyber attack.
Walter Dalton, president of Isothermal Community College as well as the North Carolina Association of Community College Presidents, said not a week goes by that a community college somewhere doesn’t see efforts to violate their systems.
“Everybody’s concerned about ransomware and cyberattacks,” he said, adding later: “It could happen to any one of us, so it’s something that we need to be cognizant of and prepare for and do all we can.”
Dalton said dealing with attacks like these is only going to get harder.
“It’s an ever changing world. The software and the efforts change. Every time you put up a firewall, someone is trying to figure out a way around it,” he said.
Peter Hans, president of the North Carolina Community College System, said that while Richmond, along with the system office and others, was able to handle this issue, community colleges need to be prepared for more attacks. And that might require money.
“We may well request some funding at some point,” he said. “But we want to align with our partners and not be ahead of them in terms of state government response.”
Hans said the legislature has been briefed on what happened at Richmond Community College and about unsuccessful attempts at other colleges. The system is also trying to get information out to community college presidents so they can prepare for potential attacks.
“We’ve got to be more vigilant,” he said. “It’s very difficult to keep pace with both technology and criminals’ incentives to keep doing these things.”