Skip to content

Statement and FAQs on Cyberattack

October 16, 2015

Statement on Cyberattack

On Tues., Oct. 13, 2015, the WHOI computer network was shut down for several hours and all WHOI email account holders were required to change their passwords. These actions were necessary because of an aggressive cyberattack on our system.

WHOI thwarts malicious computer attacks from around the world every day. However, we recently became aware of an attack that infiltrated our network and allowed an attacker unauthorized access to WHOI data and email. A thorough investigation was conducted and supported the development of a plan to remove the attackers from the environment. Part of this plan required all WHOI email account holders to change their passwords along with additional remedial steps.

The attack was similar to those that have been experienced by many federal agencies, defense contractors and other businesses developing advanced technologies. The investigation of the attack is ongoing, however, the investigation indicates the intent was not to obtain financial or personal identity information. Mandiant, a third-party cybersecurity firm hired by WHOI, identified evidence of attacker activity attributed to a targeted threat group, which the firm believes was made by an Advanced Persistent Threat (APT) group based in China. These conclusions were made based on the firm’s experience investigating these types of attacks and the group’s distinct tools, tactics, and procedures.

Background

In June, WHOI’s cybersecurity system detected an intrusion, alerting WHOI’s IT Department to activity on outbound servers from our network. After blocking the malicious communications, the IT team began an investigation into the event and determined the intrusion warranted notification to the appropriate government and law enforcement agencies. The Institution then engaged Mandiant, a leading cybersecurity firm, to scour our network and determine the extent of the compromise and its impact.

The network outage was the first major step in remediating this breach. WHOI removed all known intruder means of access backdoors, blocked traffic from all known malicious hosts, and rebuilt compromised servers. We are still investigating and reviewing what data and emails were comprised, however, due to the structure of the attack it is unlikely we will ever have the precise accounting of that data.

With this remediation event, we have implemented the priority recommendations resulting from the investigation and have done so in a timeframe that gives us confidence we have removed the malware from our system. WHOI will continue to implement secondary recommendations through 2016.

*****************

CYBERATTACK FAQS

Cyberattacks are now an every day reality of the global cybersecurity challenge faced by large research institutions, universities, corporations and others. In fact, organizations like WHOI counter malicious computer attacks from around the world each day. Because of these challenges, WHOI follows well-established information security and intrusion detection protocols and procedures, which are the same or similar to those adhered to by our peer institutions and other large organizations nationwide.

Following this attack, WHOI has implemented a set of recommendations made by Mandiant, a leading cybersecurity expert, to rid its network of intrusion. However maintaining a secure network requires constant vigilance. Over the coming weeks and months, WHOI will implement additional security measures recommended by experts to further enhance our security posture.

When did WHOI become aware of the attack?

WHOI Information Services (IS) Department first became aware of the attack on our network on June 24, 2015, when WHOI’s cybersecurity system detected an intrusion, alerting the IS team to activity on outbound servers from our network.

What steps were taken when the attack became known?

After blocking the malicious communications, WHOI began an investigation into the event and determined the intrusion warranted notification to the appropriate government and law enforcement agencies. The Institution then engaged Mandiant, a leading cybersecurity firm, to scour our network and determine the extent of the compromise and its impact.

Where did the attack come from?

An investigation, led by Mandiant, a leading cybersecurity firm, indicates that the attacker utilized networks across the world. However, evidence of attacker activity attributed to a targeted threat group, which the firm believes was made by an Advanced Persistent Threat (APT) group based in China. These conclusions were made based on the firm’s experience investigating these types of attacks and the group’s distinct tools, tactics, and procedures.

What was the attacker after?

The analysis of the data collected during the investigation is incomplete, however it appears the intent was to obtain intellectual property derived from research activity.

Was any classified information taken?

There is no indication that classified information was accessed during this attack.  Most classified activity occurs off-site, not here at WHOI. Per WHOI’s security protocols, classified information at WHOI is held in secure locations in hard copy form only.

Was any financial information stolen?

The investigation of the attack is ongoing, however, so far the investigation indicates the intent was not to obtain financial information.

Was any personal identification information stolen?

The investigation of the attack is ongoing, however, so far the investigation indicates the intent was not to obtain personal identity information.

How long was the attacker in the WHOI system?

The earliest evidence of the attacker in the system is February 26, 2013. With this remediation event, WHOI has implemented the priority recommendations in a timeframe that gives us confidence we have removed the malware from our system.

What was the extent of the breach? What was taken/stolen?

The attack infiltrated our network and allowed an attacker unauthorized access to WHOI data and email. We cannot provide additional detail on the content, as an analysis of the evidence collected during the investigation is still underway.

What steps is WHOI taking to prevent a future breach?

With today’s remediation event, WHOI has implemented the priority recommendations made by Mandiant, an expert cybersecurity firm. However maintaining a secure network requires constant vigilance and continual improvement. Over the coming weeks and months, WHOI will implement additional security measures recommended by Mandiant and assess other infrastructure improvements to further enhance our security posture.

How confident are you in the security of the WHOI network?

As we regularly read about in newspaper stories, cyberattacks are now a common occurrence, impacting large organizations like research institutions, universities, government agencies and corporations. With this remediation event, we have implemented the priority recommendations resulting from the investigation and have done so in a timeframe that gives us confidence we have removed the malware from our system. WHOI will continue to implement secondary recommendations through 2016.