Cyberattacker Offers Access to Private Data From 60 Universities and Agencies
In February 2017, a private threat intelligence firm alerted more than 60 organizations – institutions of higher education and governmental entities – that their internal databases had been breached by a Russian-speaking cybercriminal. The alleged cyberattacker (nicknamed “Rasputin”) has been the suspected culprit in several high-profile incidents, most notably, the recently reported hack and subsequent database sale of the U.S. Election Assistance Commission in November 2016. In this latest series of attacks, Rasputin is not directly selling data stolen from these systems; instead, he is offering to sell access to the systems that have been exploited. That access would allow his purchasers to access and exploit information they find through the malware that he has installed.
Cybersecurity firm Recorded Future noted in its blog post that its researchers became aware of the attack on certain governmental entities in December 2016. Specifically, the firm reported evidence of unauthorized access to databases; Recorded Future did not locate any actual publication or sharing of private data from these databases.
Working with law enforcement officials, the firm discovered additional targets in the field of higher education –more than 30 universities across the U.S. and U.K. Recorded Future notified all affected entities of the potential threats through the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC).
- Intentional targeting of higher education institutions: As reported by Recorded Future, Rasputin targets particular industries, including higher education: “[t]hese are intentional targets of choice based on the organization’s perceived investment in security controls and the respective compromised data value. Additionally, these databases are likely to contain significant quantities of users and potentially associated personally identifiable information (PII).” In other words, colleges and universities present an attractive combination for would-be hackers -- a perceived ease of attack coupled with a virtually assured “reward” for a successful breach.
- Third party breach notification: Often, institutions first become aware that their systems or data have been breached when it is reported to them by a third party: a security researcher, law enforcement entity, or other institution. Frequently, the third party sees what appears to be the institution’s sensitive information posted on, or being advertised on, dark websites and black market web forums where that kind of information is sold. In other instances, such as this one, the information itself is not being sold, but the hacker who has gained unauthorized access to the systems is offering to sell that access to someone else – presumably so that they can access information on the compromised systems.
- SQLi attacks are prolific and dangerous – but often preventable: One of the most common cybersecurity attacks is the method used by Rasputin -- SQL injection (“SQLi”). SQLi vulnerabilities are common in the kinds of interactive web applications that allow external users to enter or upload information to a website. As a result, the SQLi technique is frequently used to attack web applications. To implement the attack, code is inserted (or “injected”) into the application; the malware then allows the attacker to access data in the compromised systems.
For SQLi to be successful, the attacker must exploit a software security vulnerability. Upon a successful injection, the attacker can bypass the application’s authentication and authorization mechanisms and can retrieve, add, modify or delete any records in the affected database. The attacker can also impersonate specific users of the database. Data breaches caused by SQLi can provide attackers with unauthorized access to sensitive data including PII, personal health information (PHI), trade secrets, intellectual property and other sensitive information. An attacker could also use this unauthorized access to delete academic data or alter account balances. The most troubling aspect of this method is its relative ease of implementation – even an unsophisticated cyberattacker can launch a successful SQLi attack after using commonly available tools to locate systems that have current SQLi vulnerabilities.
Despite these risks, institutions that implement cybersecurity best practices can minimize or eliminate the threat of the most common SQLi attacks. As the threat of cybersecurity breaches continues to grow, institutions should continue to assess the broad range of consequences they could face as a result of a data breach: legal liability, regulatory compliance requirements, and the risk to intellectual property and to the institution’s reputation. As Rasputin and other financially-motivated actors will continue to exploit any area of weakness, colleges and universities, like other organizations, should remain vigilant against such threats and proactively assess their cybersecurity practices.
Saul Ewing’s Cybersecurity and Privacy and Higher Education Practices are able to assist colleges, universities, and a variety of other organizations, in assessing their cybersecurity risk and taking proactive steps to mitigate and reduce those risks. For more information on these matters, please contact the authors or the attorney at the firm with whom you are regularly in contact.