Why China’s universities are so vulnerable to WannaCry global cyberattack
As the global fallout from a massive cyberattack ebbed on Tuesday, it emerged that universities bore the brunt of the assault in China – even as Chinese authorities contested the extent of the damage.
More than 4,300 Chinese educational institutions were infected by the WannaCry ransomware that spread across the globe last Friday, according to Chinese cybersecurity giant Qihoo 360’s Threat Intelligence Centre. Almost 30,000 organisations across the country were affected in all.
But the Ministry of Education’s China Education and Research Network (Cernet) said just 66 out of 1,600 Chinese universities were affected, rejecting reports of widespread damage in higher-education computer systems as “malicious” hype.
Cernet said the 66 universities were affected mainly because their operating systems were not regularly upgraded rather than any major security shortcomings.
It dismissed Qihoo 360’s claims as “inaccurate statements that have seriously misled public opinion, caused panic among teachers and students, and affected the normal order of instruction and life”.
Beijing University and Tsinghua University, China’s two top institutions located in Beijing, issued statements saying prompt security action had prevented a “large-scale” infection on their campuses. They gave no further details.
Students in campuses affected by the ransomware, however, told of their horror finding their experiment data encrypted and half-completed theses files lost, which could affect their graduation, according to Chinese media reports.
Despite Cernet’s refutations, international cybersecurity experts said Chinese universities had proven particularly vulnerable in the WannaCry attack, warning that such weaknesses could “leave the door wide open to enemies” in future cyberwarfare.
One key reason these educational institutions were so badly hit was because the latest safety patches had not been installed to protect their networks.
Tang Wei, a Beijing-based senior engineer with Chinese cybersecurity firm Rising, said the cyberattack exposed several security soft spots in China’s network infrastructure.
The WannaCry virus takes hold of computers by exploiting a known weakness in the Microsoft Windows operating system to hold sensitive data “hostage” with encryption. To break the code, the world’s most powerful supercomputers would have to run non-stop for thousands of years.
As a result, once infected, the only practical way to recover one’s encrypted data would be to obtain a decryption key by paying the hacker a ransom.
The international cybersecurity industry had raised the alert about WannaCry more than two months ago and many companies, including Microsoft, had come up with solutions including security patches and system upgrades.
As the virus accesses computers through port 445 – a communication protocol for file-sharing among devices such as printers – shutting down the port can protect computers on a network from the cyberattack.
This measure was implemented by all backbone network operators across China except Cernet, according to several Chinese cybersecurity firms. Cernet connects a large number of campus networks at various security levels, some of them quite low due to poor management control.
Cernet itself admitted in a statement late on Monday that it did not shut down port 445, which resulted in the rapid spread of WannaCry across its networks. Port 445 was left open to facilitate academic activities that required file-sharing, it said.
But students also often used the port to play games or share illegal content such as pirated movies, according to Chinese media reports.
Another reason Chinese universities were so severely affected was also related to Cernet, according to a Chinese cybersecurity expert who declined to be named due to the sensitivity of the issue.
The core of the WannaCry malware is widely believed to have come from Eternal Blue, a leaked cyberweapon from the United States’ National Security Agency.
Information provided to South China Morning Post in 2013 by former NSA contractor Edward Snowden showed that the US agency had targeted Tsinghua University through extensive hacking activities.
Tsinghua is involved in many of China's defence-related projects. The institute’s professors are often consulted or directly involved in the decision-making process of many government policies. Its campus hosts a central server of Cernet.
The vulnerable Cernet network, which links top research institutes to large state-owned companies that might be using outdated operating systems,gave hackers easy access, the expert said.
“In the past, [such hacking] was done by the US government. But now anyone can use such weapons. Things can easily get out of control,” he said.