An infamous group of Russian-linked hackers appears to have launched a crippling cyberattack on WNMU

Publicly, Western New Mexico University has simply said it’s “working through technical issues,” but employees’ computers are displaying threatening messages signed by a notorious group, Qilin, that claims to have access to employee Social Security numbers, driver’s licenses and more.

This story was originally published at Searchlight New Mexico, a NMPBS partner.

By Joshua Bowling, Searchlight New Mexico

For nearly two weeks, Western New Mexico University’s website and digital systems have been held hostage by what officials in internal emails have called the efforts of a “foreign hacking group.” The university has not publicly addressed the severity of the attack, but documentation obtained by Searchlight New Mexico indicates that an infamous Russian-speaking hacking group is behind the attack and claims to have access to employee payroll data, Social Security numbers and driver’s licenses.

In an image of an employee’s computer shared with Searchlight, a note that threatens to leak the employee’s Social Security number, driver’s license and the university’s “complete network map” is signed by Qilin, a hacking group that the federal government has accused of running a “ransomware-as-a-service” operation. Qilin has earned a cutthroat reputation for being willing to go after anyone. Last year, it was accused of being involved in a cyberattack that forced a hospital system to cancel more than 1,000 appointments and operations. Earlier this year, it made headlines for its role in stealing the Social Security numbers and driver’s licenses of journalists who work for newspapers owned by Lee Enterprises.

Since April 13, the WNMU website has been inaccessible to the public. Faculty members told Searchlight that they and their students can use digital platforms like Canvas, which are hosted by a third party, but they’re unable to use classroom tools that connect to the internet, like printers or projectors.

In an image shared with Searchlight, one employee’s laptop screen displayed the same threatening ransomware message whenever they attempted to open a file on their work computer. The message was signed “Qilin,” and its contents bear the hallmark signs of ransomware, in which hackers hold sensitive data hostage until they receive a ransom payment. Even if they do receive a payment, groups like these may leak the sensitive information anyway.

“We have downloaded compromising and sensitive data from your system/network. Our group cooperates with the mass media. If you refuse to communicate with us and we do not come to an agreement, your data will be reviewed and published on our blog,” the message says. “Data includes: Employees personal data, CVs, DL, SSN. Complete network map including credentials for local and remote services. Financial information including clients data, bills, budgets, annual reports.”

The note instructs recipients to download a Tor browser — commonly used to access the dark web — and visit a specific site to begin negotiations with the hackers. “You need cipher key/our decrypt software to restore your files … the police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions.”

Payday delayed

On April 25 — a Friday, payday at WNMU — hourly and student employees said they had not yet received their direct deposits. In an email to employees reviewed by Searchlight, the university said the problem “stemmed from an unexpected complication during the file upload process to the bank” and said some employees might experience further delays in receiving the payments. “If this delay results in any overdraft fees, the university will reimburse those charges,” the email said.

The cyberattack comes at an inopportune time for university leaders, who are working to rebuild trust with the faculty senate, student body, state government and the surrounding Silver City community. Since December, when former university president Joseph Shepard resigned from his post and the governor demanded the resignations of the sitting regents, the campus has been without a permanent leader. New regents have only been on the job since late March, and now find themselves leading a university in disarray.

Threats like these have become common enough in local government that in 2022 the U.S. Department of Homeland Security launched the “State and Local Cybersecurity Grant Program,” the first of its kind, to help upgrade and protect IT networks across the country. It awarded nearly $280 million in grant funding for fiscal year 2024 — nearly $4 million of which went to New Mexico — and anticipated awarding $1 billion over four years.

In an email to executive managers on April 14 — one day after the attack — Provost and Vice President of Academic Affairs Jack Crocker said WNMU “experienced a cyberattack from a foreign hacking group” and said the university had the “ongoing collective support and assistance” of the New Mexico Higher Education Department, the Federal Bureau of Investigation and “other university cyber experts to help us combat the attack.”

In an email to Searchlight, Higher Education Department spokesperson Auriella Ortiz said the agency was working closely with the state Department of Information Technology to “evaluate” the issue.

“WNMU is undertaking a formal investigation to identify the scope of the incident and to facilitate necessary remediation efforts,” she wrote. “Our primary objective as state agencies is to support the university in restoring and continuing normal business operations following this incident.”

Whether that collective firepower will be enough to combat the hacking group remains to be seen. Qilin has developed a reputation for wreaking havoc wherever it goes. Last year, it was accused of being involved with an attack on a healthcare provider in London that forced hospitals to immediately halt operations. Qilin has been operational since 2022 and operates “ransomware as a service,” according to a 2024 report from the U.S. Department of Health and Human Services. This allows independent hackers to use its digital tools in exchange for a 15 to 20 percent share of the ransom payments. The 2024 report says that the group’s typical demand for ransom is $50,000 to $800,000.

“Actors practice double extortion and operate a data leak site where victims are posted. Victims are directed to communicate with the attackers via dark web portals or encrypted messaging services, ensuring the attackers’ anonymity and complicating law enforcement efforts to track interactions,” the HHS report says. “Payments are demanded in cryptocurrencies, such as Bitcoin or Monero. However, even after payment, there is no guarantee that victims will receive the decryption tools required to recover their data.”

System outage or cyberattack?

Meanwhile, the severity of the situation hasn’t come through in the school’s public messaging (“While select systems remain offline,” a recent WNMU Facebook post said, “key academic and communications platforms continue to be accessible.”) For nearly two weeks, WNMU’s website has been down and employees have had varying degrees of access to their emails. Everything on the university website — minutes and agendas for Board of Regents meetings, campus announcements and calendars of events — has been blocked from public view, and students have had to use alternative login methods to access online homework, lectures and exams.

In public social media posts and emails to students, the university has not blamed a cyberattack or other nefarious activity for leading to the outages. Instead it has simply said it is “working through technical issues.” Internal communications, however, show that the situation is more serious than the university’s public depictions.

The university has also enlisted the help of private cybersecurity companies. A number of Wi-Fi hotspots have been installed on campus and students have received instructions on alternative ways to access Canvas, an online coursework program used by universities around the nation.

“In the meantime, the plan is to keep campus open,” Crocker wrote in his email to managers. “Face-to-face classes will meet and alternative access to online/hybrid classes is being created. However, university internet, email, phones, and connections outside WNMU are inoperable at this time and must remain so until the issues are resolved. Scheduled events, such as the scholarship luncheon, softball games, Cultural Affairs lectures will continue.”

While faculty and hourly employees have received different communications from the top, students have seemingly been left in the dark as to the serious nature of the system outage.

In an email to students last week, the university made no mention of a cyberattack. Instead, it told students that WNMU “is currently addressing technical issues affecting access to several key web-based services.” It also told students that “protecting your personal data — including your student status — is a top priority.”

In a statement Friday, university spokesperson Mario Sanchez said “impacted individuals” would be notified if their personal information was involved in the attack.

“The university’s investigation into this incident is ongoing. If the investigation determines that personal information was involved, impacted individuals will be notified in accordance with applicable law. We understand there was an issue with payroll processing for the current pay period, but our bank has let us know that the issue has been corrected and payroll should be posted today.”

This story was originally published at Searchlight New Mexico, a NMPBS partner.