More than a month after a ransomware cyberattack on its computer systems, the Atacama Large Millimeter/Submillimeter Array (ALMA) in Chile remains offline. The unprecedented disruption is hindering the research projects of astronomers around the world and is costing the observatory about a quarter of a million dollars a day.
On 29 October, ALMA users realized that their network had been attacked when a number of their computer tools stopped working. Technicians quickly isolated the parts of their network that had been infiltrated by the hackers, eliminating the need to pay a ransom. Although the attack did not get as far as the antennas and the correlator, which packages together all the observational data, ALMA has not yet returned to operation. The hope, according to ALMA director Sean Dougherty, is that the telescope will come back on line on 19 December.
Built at a cost of $1.4 billion, ALMA is one of the world’s largest telescopes. It comprises 66 large radio dishes that dot a 5000-meter-high plateau in the Atacama Desert of northern Chile. The dishes together act as a single telescope and observe at millimeter and submillimeter wavelengths. Those wavelengths straddle radio and IR, a range that is particularly useful for studying star and galaxy formation.
The telescope is operated by the European Southern Observatory, NSF in the US, and the National Institutes of Natural Sciences of Japan, in cooperation with the Republic of Chile. Thousands of astronomers in multiple countries have access to ALMA’s data. The sprawl of the collaboration is part of what allowed the cybercriminals to get a foothold in the organization. The hackers accessed the system through a virtual private network (VPN), most likely with compromised credentials, Dougherty says.
“We managed to stop the attack before basically the whole system was compromised,” Dougherty adds; the data archives and backups, for example, remain intact. But the damage was still extensive, and for the past month, ALMA staff have been rebuilding the network, which includes replacing the compromised VPN. The new system will be more secure and will make it easier to isolate breached servers.
In the meantime, the outage is taking a toll on both the observatory and the astronomers who use it. Given operating expenses of $90 million a year regardless of whether the telescope is observing, every day during the outage is costing just under $250 000, Dougherty says. And those who had observations planned during this blackout have lost their slots. There are discussions about what to do for those who missed out, Dougherty says, “but the opportunity for those particular observations has passed in this cycle.”
Ransomware attacks, in which criminals hold an organization’s computer networks and data hostage in exchange for payment, are becoming increasingly common. Dougherty says the ALMA cyberattackers executed a “particularly sophisticated” attack that, according to the US Cybersecurity and Infrastructure Security Agency, has been used to exploit more than 1300 companies worldwide and to extract approximately $100 million in ransom payments.
Although many science facilities around the world face attempted cyberattacks daily, ALMA is among the first to suffer such a major breach. An NSF spokesperson says that among its facilities, the agency is “not aware of any cyberattacks with significant impact prior to the ALMA incident.” The spokesperson could not comment on specifics of the incident due to an ongoing law-enforcement investigation.
“Cybersecurity is a significant and growing concern across the public and private sector,” stated a 2021 NSF-commissioned study into cybersecurity at its facilities. “To adequately respond to the rapidly changing threat landscape, all major facilities must sustain and continually evolve their cybersecurity practices.”
Dougherty says that the attack made general users, including astronomers and staff who access the ALMA network remotely from around the world, more aware of cyberthreats and the need to be vigilant. Although computing staff recognize the risks and hold annual cybersecurity workshops, “the importance of those things is sometimes not taken on board by everyone,” he adds. “Events such as this make everyone realize, ‘Yeah, these things are important.’ ”
Rodrigo Herrera-Camus, an astronomer at the University of Concepción in Chile, is observing dust and gas in ancient galaxies as part of ALMA’s CRISTAL program. That program and a smaller follow-up initiative have been affected by the shutdown, he says. “They required observations using an antenna array configuration that was available during the time of the attack and that potentially could not be available during the rest of the ALMA observing cycle.” Most of the CRISTAL observations were carried out prior to the attack, so he and his colleagues are able to analyze those data. But they obtained only half of the smaller program observations.
Jes Jørgensen, an astrophysicist at the University of Copenhagen, is using ALMA to study dust and gas around stars and planets in their earliest evolutionary stages. Most of his data are scheduled to come beginning in January, so he hopes that the system is back on line this month. “What is more problematic,” he says, “are some of the other programs that will not be executed at all this year—in particular, those led by researchers in earlier career stages where obtaining the ALMA data may be critical for applying for their next positions or funding.”
Jørgensen and colleagues also have programs that use data from both ALMA and the James Webb Space Telescope. “Delays in obtaining the ALMA data for those programs do cause problems for us when planning to apply for additional time with JWST at its next deadline in late January 2023,” he says. “I am of course crossing my fingers that the situation will soon return to normal.”
Editor’s note, 13 December: Due to an editing error, the original secondary headline misstated the nature of the cyberattack. It has been corrected.