Cyber Incident Victim: Montana State University
Date:
Apr 2023
Location:
United States of America
Summary
Montana State University experienced a cyberattack that prompted an immediate shutdown of all university networking and internet services, including Wi-Fi and campus phones, to contain the incident. The campus remained open for in-person classes and events while the information technology team worked to restore systems. Recovery efforts involved building new domain controllers from the ground up and applying server hardening to establish a secure foundation before restoring the network.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 5 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On April 20, 2023, Montana State University (MSU) experienced a significant cyberattack. The university first reported the incident around noon on that Thursday. Shortly after detection, the university took immediate action to contain the threat. An email was sent to the MSU community stating that all MSU networking and internet services would be shut down in an effort to contain the attack. This decisive action resulted in the complete loss of internet access, Wi-Fi services, and potentially campus phone services across the university's network.
The university directed its users to shut down all MSU-owned laptops, desktops, and any computers connected to the campus network, whether through a wired or wireless connection. This directive was issued to prevent the potential spread of the attack to endpoint devices and to aid in the overall containment strategy. Despite the severe disruption to digital infrastructure, the physical campus remained open. The university confirmed that in-person classes would continue as scheduled and that offices were to remain open for operations, indicating a commitment to maintaining academic and administrative functions despite the ongoing IT crisis. The Director of MSU News Service, Michael Becker, confirmed the cyberattack and noted that the impact was not isolated to the main campus, stating that some services on other MSU campuses had also been affected.
By the following day, April 21, 2023, the university provided an update on its recovery progress. The institution stated it was moving into the identification and remediation phase of its recovery efforts. The university's Information Technology team had been working throughout the day to establish multiple new domain controllers. These critical infrastructure components were built entirely from the ground up, a process intended to try to prevent reinfection of the network by ensuring a clean and secure foundation. The technicians applied server hardening techniques to these new systems to provide a solid and secure foundation upon which the rest of the network could be restored.
In the interim period during the recovery, the university continued to advise against using any MSU-owned computers or connecting to MSU wired and wireless internet networks. However, the university clarified that core services such as email, the D2L learning management system, and the MyInfo portal were accessible from non-MSU networks. This allowed students, faculty, and staff to maintain some level of communication and academic activity by using personal internet connections off-campus. The university also confirmed that all campus events would continue as scheduled despite the ongoing network outage, demonstrating an effort to minimize disruption to campus life. The university committed to providing regular updates as progress was made in restoring the network system. The initial response and ongoing recovery efforts were focused on containment, building a new secure infrastructure, and restoring services in a controlled manner to ensure security.