Cyber Incident Victim: University of Oklahoma
Date:
Jan 2025
Location:
United States of America
Summary
The University of Oklahoma isolated systems following unusual network activity linked to a ransomware incident. The Fog group claimed theft of 91 MB of employee and financial data, exploiting compromised VPN credentials—a method previously targeting educational institutions during periods of reduced staffing. The incident disrupted operations amid semester commencement and mirrored attacks on other universities, including a prior local breach compromising student information and Social Security numbers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The University of Oklahoma detected unusual cyber activity on its IT network in early January 2025, prompting immediate containment measures. Upon discovery, the university isolated affected systems and initiated an investigation to assess the scope and nature of the incident. The incident coincided with the start of the spring semester on January 20, though campus operations had already been disrupted by a snowstorm the previous week that forced remote work and canceled in-person classes. On January 21, the Fog ransomware gang claimed responsibility for the attack on its leak site, alleging theft of 91 MB of data containing employee information, financial records, and other unspecified materials. University officials confirmed the unusual network activity but declined to disclose which specific systems were impacted, whether ransomware was deployed, or if negotiations with the threat actors occurred. No evidence suggested academic or research systems were compromised, though the isolation measures likely affected some operational functions during the investigation.
The Fog group, active since May 2024, has exclusively targeted U.S. organizations with 80% of its victims in the education sector, according to Arctic Wolf researchers. Forensic analyses of prior Fog attacks revealed consistent exploitation of compromised VPN credentials across two unnamed gateway vendors to gain initial access. This incident follows a pattern of ransomware groups targeting universities during holiday periods or semester transitions when IT staffing levels are reduced. Similar attacks disrupted operations at Stanford University and the University of Michigan in preceding years, while East Central University in Ada, Oklahoma, experienced a 2024 ransomware incident that compromised student Social Security numbers despite limited system disruption. The University of Oklahoma maintained its investigation as ongoing, implementing additional network security measures while continuing normal academic operations.