Cyber Incident Victim: Stephen F. Austin State University

On or around June 11, 2023, Stephen F. Austin State University (SFA) experienced a significant cyberattack that disrupted its computer network. The likely attack occurred sometime between the evening of Saturday, June 10, and the morning of Monday, June 12. In response to the detected malicious activity, the university made the decision to proactively shut down network access to prevent further compromise. This action was described by university spokesperson Graham Garner, who stated, “We didn’t have any services that were knocked out or taken over. We made the choice to shut down access so we could prevent anything from happening.”

The immediate consequence of the shutdown was the unavailability of the university's main website and most of its online resources. However, the institution's sports websites remained accessible. Official online resources were not available, prompting the university to direct students, faculty, and the public to watch for official updates on its social media platforms, including Facebook, Instagram, and Twitter. The cyberattack also had a cascading effect on local government operations in Nacogdoches, Texas, because the SFA computer network was used by several local government entities. Daily law enforcement and fire reports were not available to the public as a result of the network outage. The Nacogdoches Fire and Rescue Battalion Chief, Sean Black, confirmed this impact in an email, stating, “Our report status was also affected by the cyberattack on SFA. As soon as we get this problem resolved we will resume submitting the report.” Reports were also unavailable from the Nacogdoches police, the Nacogdoches County Sheriff’s Office, and the University Police Department.

University officials did not initially specify the exact type of cyberattack that had occurred. When asked about the perpetrators, Garner said, “As far as who or what was behind this, we can’t speak to that yet.” The articles noted that ransomware—a type of virus that holds computer files hostage while hackers ask for a payment as a form of extortion—has been increasingly used by criminal organizations. In most ransomware attacks, hackers ask to be paid in electronic currency like Bitcoin in return for unlocking files. Some hacking groups also threaten to leak or sell sensitive documents unless they are paid a ransom. Despite this context, as of the afternoon of Tuesday, June 13, no major hacking group had claimed responsibility for the attack on SFA, according to DarkFeed, a cyber threat intelligence group that tracks such claims.

The university's information technology staff, with the assistance of the University of Texas System and other external entities, began working to identify what files the attackers might have gained access to and what vulnerabilities were potentially exploited. Graham Garner highlighted the value of this affiliation, stating, “This is evidence to us at how that kind of affiliation can be an asset and be a resource.” This collaboration was particularly relevant as SFA was set to officially join the University of Texas System in August 2023 after the deal received unanimous approval in the Texas Legislature. The incident was reported to and investigated by the proper authorities. The Federal Bureau of Investigation’s Dallas field office confirmed its investigation into the incident. A university spokesperson confirmed the FBI's involvement more than a week after the attack but did not provide additional details. The FBI also declined to provide more information about its investigation. Large-scale cyberattacks often draw a response from the FBI, though such cases rarely end in an arrest.

The cyberattack caused significant anxiety among the student body. More than a week after the incident, university leaders were still working to fully restore email and other critical online services for the 11,600-student campus. The prolonged outage threatened to disrupt academic progress, with students growing anxious about falling behind in their coursework due to the inability to access email, online learning platforms, and other essential digital resources necessary for university functions. The attack on Stephen F. Austin State University was part of a broader trend targeting educational institutions and government agencies. Hackers had attacked more than 150 governmental agencies and educational institutions in the U.S. since January of that year. This incident was at least the 12th confirmed cyberattack in Texas since March 2022, according to the international cybersecurity company Comparitech. Other recent cyberattacks in Texas included those on the City of Dallas, the Mansfield Independent School District, Rice University, the City of Tomball, and the Dallas Central Appraisal District. A May 3 ransomware attack on the City of Dallas was blamed on the international hacker group Royal, which had also recently claimed responsibility for hacking a school district in Pennsylvania. The local area had prior experience with such incidents, as both the Nacogdoches ISD and the City of Garrison were hit by cyberattacks within the same week back in 2020. The university's response and recovery efforts continued as IT personnel and their external partners worked to restore systems and ensure the security of the network before bringing services back online for the campus community and the local government agencies that relied on its infrastructure.