According to Swarthmore Public Safety and Information Technology Services (ITS), the college was likely the target of a cyberattack on Wednesday, April 30, on its network and associated computer systems, resulting in widespread Internet outages. The situation progressed over several days as Swarthmore College and its community learned more about the incident, despite the lack of official word on the matter. As of Wednesday, May 7, ITS claims the issues have been resolved, as alerted to the community in an email. However, a follow-up incident that same day impacted a number of students as well, leading to widespread impaired connections with no official guidance from the school.
Midday on April 30, students began reporting trouble loading websites in Chrome-based web browsers. Upon navigating to a new page, the browser would report connection errors, as if the server on the other end had refused to acknowledge the request. As the errors spread around campus, worry followed, and with finals season on the horizon, a lack of Internet meant no access to online textbooks, course materials, study tools, and so on.
Official acknowledgement by Swarthmore ITS came late that night when they posted a minimal statement on their support page and the Swarthmore “Dash” explaining that they were aware of the issues and looking into the reports. This post has since been removed, as ITS is only displaying the latest published message regarding the incident. They also mentioned that the issue seemed largely isolated to Chrome, while other browsers such as Firefox and Safari should not experience as many issues. However, the next day, the problem dramatically worsened, with ITS amending their previous statement to say the issues were no longer isolated to Chrome.
Around 11 a.m. on Thursday, May 1, Public Safety notified the community via the Swat Alert emergency notification system that the Zoom Phone service was down. This development was the first indication that the outages were not limited to browsers and were in fact affecting general Internet traffic into, out of, and within the college’s network. At 1 p.m., a follow-up alert from Public Safety stated that they “believe[d] this [was] an intentional cyber act targeting the College.” A coinciding statement from ITS that has since been taken down confirmed this stance, but clarified there was no reason to believe any personal data had been exfiltrated or any systems compromised.
During this period, students, faculty, and administrators faced outages across the board in mission-critical systems, likely due to traffic rate limiting and other Distributed Denial of Service (DDoS) attack symptoms or false positives in attack mitigation mechanisms. Computer science students found themselves unable to remotely access lab machines, both on and off campus. Furthermore, professors were unable to access Moodle, and the Office of Student Engagement was fighting uphill battles to merely fill out purchasing requests, irrespective of browser or protocol.
That evening, after substantial work on the part of the security and networking arms of ITS, the attacks were halted, and the wider-ranging effects were reduced to only the Chrome access issues, which are still affecting campus today.
Reports have been circulating that multiple DDoS attacks were levied against the college around the beginning of the outages, but that the attack itself was not the main user-facing issue. It seems that, either by coincidence or as an indirect consequence of the attack, TLS (Transport Layer Security) 1.3 packets with the “Kyber” post-quantum encryption method were being stopped at the college’s firewall system.
TLS is a method for encrypting traffic on a computer network. Every time you access a secure website or send an email from a standard provider, you are using TLS to keep your traffic hidden from others and prevent interference with your data. TLS 1.3 is the latest version of this protocol, and includes support for several new encryption schemes and protection settings to enhance security in a world with increasingly powerful encryption-breaking machines, such as quantum computers. It is worth noting that no current quantum computer is capable of breaking even extremely basic encryption schemes due to current technological limitations. Instead, “post-quantum” refers to an anticipated future where quantum computers are capable of efficiently breaking most standard encryption schemes.
When Kyber encryption (“post-quantum key agreement”) is enabled — as it is by default in modern Chrome-based browsers — the structure of each packet (the base unit of transmitted information) is changed. When packets hit the Swarthmore firewall, whether from inside or outside the college, they are checked before being passed through or rejected; however, if the firewall is unfamiliar with the packet structure or encryption scheme, the firewall errs on the side of rejection. It appears that Kyber-encrypted TLS 1.3 packets are automatically rejected by the system. Why this has changed since the attack is unclear.
In addition to the panic surrounding the connection issues themselves, many voiced suspicions and concerns regarding the timing of the attack and its coincidence with the then-ongoing SJP encampment. While there is no known evidence that the events are linked, there is precedent for this type of attack surrounding both pro-Israeli and pro-Palestinian activist groups.
Despite this, it is extremely unlikely that the attack was directly levied by students on campus, given the large-scale resources required for a DDoS attack of this nature and the easy traceability of on-campus network traffic. The official position of the college, as communicated by Andy Hirsch, is that there is no connection between the events, as previously reported.
The Phoenix has had its own troubles relating to this outage, as its on-campus, student-run hosting by the Swarthmore College Computer Society (SCCS) is also behind the Swarthmore firewall, meaning all incoming Kyber-encrypted traffic to swarthmorephoenix.com has been blocked. The current workaround recommended by ITS is to use Firefox, and in testing, the SCCS has found that disabling Kyber in chrome://flags (Chrome, etc.) or about:config (Firefox) may limit or eliminate the impact of the issue. This option, unfortunately, is not available on Chrome-based desktop applications such as Spotify Desktop or Steam.
The Phoenix has heard no evidence of any ransomware or data exfiltration attempts, and the reduction in traffic issues supports the conclusion that the attacks have ceased. The remaining outages stem from this TLS bug alone.
Adding to these issues, throughout Tuesday, May 6, many students and faculty reported problems logging into their Swarthmore College accounts, as well as accessing WiFi, regardless of their browser. This issue was likely the result of ITS abruptly freezing hundreds of school accounts to counter a phishing email sent out that morning. Users were able to regain account access by resetting their Swarthmore passwords, but as of publication, ITS has not publicly acknowledged nor provided a solution to this incident. The ITS support website’s announced they would be performing website maintenance from 6:30 to 8:00 a.m. on May 7, which seems to have led to the apparent resolution that afternoon. There has been no new information from the college since the resolution on details of the attack or outages.
Also on May 7, many students received an email from Swarthmore student Spencer McQuaig with the subject line “Swarthmore College, Act Now,” containing a link to a Google Form. The email made bogus claims of account deactivation and signed off as the “Swarthmore College Help Desk” with improper spacing. This was a phishing email, presumed to have been sent by a malicious actor, and led administrators to believe some accounts had been compromised. The ITS security team notified Help Desk and account management employees to immediately suspend those students’ access to their accounts, and they did so with no warning to those affected.
Many locked out students assumed the network was once again down, but in reality they were expected to contact the Help Desk for assistance. Once there, students would be required to reset their passwords and sign back in on all devices. Students voiced concerns about the handling of this situation, especially on top of the other outages, with little communication or explanation from the college.
As of Thursday, May 8, there has been no statement on the compromised accounts, and the announcements regarding the outages have been entirely wiped from the ITS Service Portal page (although it is still visible from the Dash).
