Cyber Incident Victim: Stanford University
Date:
Apr 2022
Location:
India
Summary
Stratford University experienced multiple ransomware group attacks, with REvil, Snatch Team, and Avos Locker separately claiming data exfiltration incidents. REvil allegedly stole 60 GB of data, Snatch Team extracted 53 GB, and Avos Locker took 25 GB across 30,000 files. The latter two groups confirmed they did not encrypt systems, only exfiltrating data for ransom, while REvil's ransomware deployment remained unverified. The institution did not publicly acknowledge the breaches, and repeated attempts to contact administrators via email failed, with some inboxes full. The relationship between the incidents—whether separate attacks or data redistribution among groups—remained unresolved.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 3 actors | Available to members | Available to members |
Description
Stratford University, an institution of higher learning with a presence in the United States and India, recently faced a series of cyberattacks that raised concerns among cybersecurity experts and highlighted the evolving landscape of ransomware threats. This detailed report aims to provide a comprehensive overview of the incident, shedding light on the tactics employed by the attackers and the potential implications for the university and its stakeholders.
Stratford University, with its main campuses in Virginia, Maryland, and New Delhi, India, also offers online programs to a diverse student body. In early 2022, the university became the target of a ransomware attack, an incident that has since escalated in complexity. The initial attack vector is still unknown, but it set in motion a chain of events that involved multiple threat actor groups and raised questions about the security of Stratford University's systems and data.
The first observable activity occurred in April when a variant of the notorious REvil ransomware group added Stratford University to their dedicated leak site. REvil is known for their aggressive tactics and has been responsible for high-profile attacks on various organizations. However, in this instance, they did not provide further data disclosure, and attempts to access the data pack proved unsuccessful, yielding a "disconnected" message. This initial attack already indicated a potential breach of confidentiality, one of the core tenets of the CIA triad (Confidentiality, Integrity, Availability).
As if the situation couldn't get more challenging, in mid-August, a different threat actor group, Snatch Team, entered the scene. They, too, added Stratford University to their leak site, indicating that they had accessed and exfiltrated data. The Snatch Team did not disclose the amount of data they claimed to possess, but they were quick to assert that their operation was unrelated to REvil's earlier listing. Despite their claims, the data they dumped on their site, amounting to 53 GB, proved inaccessible due to a secure connection failure. This development further emphasized the potential integrity breach, as the confidentiality and availability of the university's data were now at stake.
Adding to the complexity, a third group, Avos Locker, joined the fray in early September. They, too, asserted their independence from the previous two groups and claimed to have approximately 25 GB of data from Stratford University. Avos Locker provided a "proof pack," but the files within were not current, casting doubt on the exact timeframe of their access. Notably, both Snatch Team and Avos Locker engaged in a form of ransomware tactic known as "leak-and-ransom," where data is exfiltrated and then held for ransom, rather than encrypted directly on the victim's systems.
The involvement of three distinct threat actor groups in such quick succession raised several questions. Was this the work of one ransomware affiliate who strategically divided the data among different groups? Or were these separate, coordinated attacks? The answers remain unclear, and the university's silence on the matter added to the mystery. Initial attempts to contact Stratford University via their publicly available email addresses were largely unsuccessful, with mailbox full errors being a common issue.
The absence of an official breach statement on the university's website left students, staff, and the wider community in the dark about the nature and extent of the incident. This silence is concerning, as it could indicate a lack of transparency or a potential downplay of the situation's severity. The total impact of the breach is yet to be fully grasped, and it remains to be seen if the university will take proactive steps to reassure its stakeholders and implement enhanced security measures.
The Stratford University cyber incident underscores the evolving nature of ransomware threats. The involvement of multiple groups, their varied tactics, and the potential for data exfiltration all point to a dynamic and sophisticated threat landscape. This report aims to provide a comprehensive understanding of the situation, highlighting the importance of proactive security measures, data protection, and transparent incident handling. As the investigation unfolds, further insights into the motivations and tactics of these threat actors may come to light, contributing to a richer understanding of the challenges faced in the ever-changing field of cybersecurity.