Cyber Incident Victim: Brown University
Date:
Mar 2021
Location:
United States of America
Summary
A cyberattack targeted Brown University's Windows-based systems, prompting the institution to disconnect its central data center and disable affected services. Critical resources like Banner, VPN, and certain websites became temporarily unavailable, while other platforms including Canvas, Workday, and Zoom remained operational. The IT team responded by securing digital assets, initiating an investigation, and gradually restoring access to core services such as the main website and library domain. Malware was suspected as staff directed employees to verify device cleanliness, with ongoing efforts focused on safely reinstating remaining offline systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 30, 2021, Brown University experienced a cyberattack that disrupted its network operations, prompting immediate containment measures. The university’s Computing & Information Services team detected anomalous activity focused on Windows-based devices and responded by severing connections to the central data center and disabling systems within it to prevent further spread. This action rendered several critical services temporarily inaccessible, including the Banner administrative system, VPN access, RemoteApps, and portions of the Brown.edu website infrastructure. CIO Bill Thirsk communicated the outage to the university community on the day of the incident, advising faculty and staff to use non-Windows devices such as smartphones, tablets, or computers running alternative operating systems until the situation was resolved. The university’s internal investigation, launched concurrently with the containment efforts, sought to identify compromised systems and assess the attack’s scope.
By April 2, restoration efforts had partially succeeded, with core services including most www.brown.edu websites, library.Brown.edu resources, and listserv email distribution systems returning to operation. Systems unaffected throughout the incident included Banner Self Service, Canvas, Workday, Zoom, and Google applications. The university’s official statement confirmed the incident involved a "security incident impacting system availability" and emphasized the prioritization of secure restoration over expediency. IT staff methodically evaluated Windows machines for "known-clean" status—a process requiring employees to consult IT support personnel—indicating potential malware involvement, though no specific threat type was disclosed. Ongoing work focused on reestablishing network connectivity and reactivating remaining offline systems while maintaining safeguards against residual threats. The investigation remained active with commitments to provide further community updates as developments warranted.