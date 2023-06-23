NACOGDOCHES — International hacking group Rhysida this week leaked more than two dozen documents it says it stole from Stephen F. Austin State University in a cyberattack and announced plans to auction off other sensitive information harvested in the attack.
“We downloaded about 1.2 terabytes of data from their network, including SQL databases,” Rhysida said in an email to The Nacogdoches Daily Sentinel claiming responsibility for the attack.
The message included 28 files mostly dated from August to December 2022, though some went back as far as 2013.
University Police Department files, W-9 and contractor applications and passport documents were included in the leak.
“I also inform you that this data will soon be auctioned off on our website,” Rhysida said in the email.
University officials would not confirm whether Rhysida was behind the attack or whether the group had demanded a ransom for files.
“These are criminals and we aren’t interested in engaging them inappropriately,” said Graham Garner, the chief marketing officer for SFA.
It was also unclear whether the larger amount of data might contain files from law enforcement agencies from around Nacogdoches County that use software on the university’s servers.
The university notified faculty and students of Rhysida’s leak Friday evening.
“Friday morning, June 23, we received information that the threat actors behind this incident claimed to have acquired some data, which might include sensitive or personally identifiable information of some current and former employees and students,” interim university president Gina Oglesbee said in the email.
Rhysida was first observed in May, but it has hit some large targets including the Chilean army. The group commonly uses ransomware — a type of virus that holds computer files hostage while hackers ask for a payment as a form of extortion — according to cybersecurity experts.
Rhysida and other groups often engage in double extortion, meaning that they hold files for ransom and then auction them off to the highest bidder. Chilean military documents were recently sold through the group’s website.
After the attack, which was discovered June 12, Garner said no services were “knocked out or taken over.”
“We have said throughout that we have not had any indication that any sensitive information had been accessed inappropriately and that we would notify any individuals if that were to change at that point. With the information we have today, that is something we are reevaluating and will do exactly what we said,” Garner said Friday.
The email from Oglesbee indicated that “we have no evidence that central information, such as payroll or employee records or banking or student financial data, has been inappropriately accessed.”
Rhysida said that denying sensitive information was taken was “brazenly deceiving the public.”
The attack has spawned a large-scale investigation from SFA’s informational technology department, other cybersecurity experts and law enforcement agencies including the FBI, Garner said.
FBI officials in Dallas declined to comment, citing the ongoing investigation.
The university has strengthened security efforts in the aftermath of the attack and increased the use of multi-factor authentication when accessing its network, Garner said.
SFA’s computer network remained largely offline June 12 through June 16.
