A cybersecurity expert says despite the positive resolution to an attempted cryptocoin mining attack at St. Francis Xavier University (St. FX) last week, the decision to shut down the school’s entire network came as a surprise.
“I’ve seen very large infections where lots of devices, lots of computers get enslaved, but I’ve never seen somebody shut everything down,” said David Masson, country manager for Darktrace, a cybersecurity company.
The decision to shut down St. FX’s 150 servers was made on Nov. 1 after the university’s system security software recognized “odd activity” occurring within its network. In an alert to students, staff and faculty the same day, the university said the odd activity was an attempted cyberattack.
On Monday, the university stated that attempted “cryptomining” was the source behind the cyberattack, saying the software attempted to “utilize St. FX’s collective computing power in order to create or discover Bitcoin for monetary gain.”
“It was something we had never seen before, so we took this precaution of shutting down the systems while we investigated the alert,” St. FX spokesperson Cindy MacKenzie told Global News on Wednesday.
Cryptocoin mining is a method of making money by using somebody else’s computing power and electricity supply. The most common cryptocurrency is Bitcoin but there are several others, including Zcash, Ethereum and Ripple.
“It’s the process of authenticating and legitimizing transactions of decentralized currencies,” Masson said. “Basically, you’ve got to get a computer to resolve mathematical problems, and every time you resolve them you get awarded with a bit of a Bitcoin, or a bit of (a different cryptocurrency).”
Masson says with cryptocurrency malware, it’s now possible for hackers to enslave somebody else’s network covertly to do these calculations.
“So you end up making money on somebody else’s computer.”
WATCH: Cryptocurrency concerns — could Bitcoin bankrupt you?
The network shutdown at St. FX disrupted access to email, WiFi, debit transactions, the university’s online course system, shared storage space and drives on the St. FX network.
MacKenzie noted that Friday was the only complete work day that students, staff and faculty did not have access to internet and Outlook email, adding that office phones were still accessible.
“While it was inconvenient, we actually had reports of faculty going … ‘old school’ — using whiteboards and dry-erase markers for classes on Friday,” MacKenzie said.
“When Monday rolled around, everything was up and running.”
MacKenzie added that the university’s IT Services team is pleased that the security alerts were able to detect the attempted cyberattack, and a security audit was conducted last year that resulted in the university adding software to its systems to allow them to identify this type of activity.
“From here we will investigate opportunities, such as increasing the sensitivity settings within our security systems, as well as look for opportunities to take older systems offline,” MacKenzie said.
The university believes the attempted cryptocoin mining occurred from outside the university’s server, but Masson says these types of attacks also tend to occur from within the university.
“That’s quite common,” he said. “They understand the organization, they understand the network, and so they launch their own mining operation from with the organization they’re in.”
“This is done very stealthily. The affected device won’t notice this happening, so any network they can get the malware onto, they’re up and away.”
Masson added that it shouldn’t be surprising that a large network such as St. FX was subject to the attempted cyberattack.
“There’s a lot of computing power, plus a lot of hydropower there that someone can use to mine these coins.”
WATCH: Online security expert suggests apps to use when you’re travelling
The university has stated that there is no evidence of personal information within the network being breached, but they’re asking everyone at the university to reset their passwords as a result of the incident.
They say they’ll continue to monitor the situation, as well the university’s network for suspicious activity in the coming days.