University of Kentucky Defeats Month-Long Cyber-Attack

The University of Kentucky (UK) has fought off a month-long cyber-attack that impacted UK Healthcare and caused a system-wide slowdown.

According to UK officials, the disruption was caused by cryptocurrency mining malware installed by threat actors on the UK network in February. The malware caused daily interruptions to everyday functions and triggered temporary failures of UK's computer system.

Disruptions were chiefly felt at UK Healthcare, which operates UK Albert B. Chandler Hospital and Good Samaritan Hospital in Lexington, Kentucky. Together, the hospitals serve more than 2 million patients. 

An investigation into the attack has found no evidence to suggest that patient or student data was compromised.  

University spokesperson Jay Blanton said: "Understanding that our review is ongoing, and based on the consultation of outside experts, we have no evidence to date that any personal health information or other sensitive data, such as personal student or employee data, has been downloaded or accessed."

Eric Monday, UK’s executive vice president for finance and administration, said the attack appeared to have originated from outside the United States. He expressed the view that the attack had been carried out in an attempt to hijack the “vast processing capabilities” of the UK network to mine cryptocurrency. 

Following the attack, the university hired an independent computer forensic firm to help improve cybersecurity and installed CrowdStrike security software as a preventative measure against future threats. UK is believed to have spent more than $1.5m on ejecting the malware from its network and improving cybersecurity.

A major 3-hour reboot of the university's IT systems, carried out without the students' knowledge yesterday morning, is believed to have finally removed the lingering malware threat. 

In a message sent out to the university's campus community on Monday morning, Blanton said: "A significant step in this procedure involved a short, planned network outage that took place earlier this morning, which we communicated overnight. Per the advice of our cybersecurity partners, it was necessary to limit the information provided in this initial communication. Now that the network has been restored and more aggressive security measures have been implemented, we can communicate with full transparency without risk of sacrificing the security of our systems." 

What’s Hot on Infosecurity Magazine?