A “Russian-speaking and notorious financially-motivated” hacker known as Rasputin has been at it again, hacking into universities and government agencies this time, before attempting to sell the stolen data on the dark web.

According to the security company Recorded Future, which has been tracking the cybercriminal’s breaches, Rasputin’s most recent victims include 63 “prominent universities and federal, state, and local U.S. government agencies.” The security firm has been following Rasputin’s activity since late 2016 when the hacker reportedly breached the U.S. Electoral Assistance Commission and then sold EAC access credentials.

Recorded Future claims that Rasputin’s victims are “intentional targets of choice based on the organization’s perceived investment in security controls and the respective compromised data value. Additionally, these databases are likely to contain significant quantities of users and potentially associated personally identifiable information (PII).”

All of the hacked agencies and universities have been notified about the breaches by Recorded Future. There were 16 U.S. state government victims, 6 U.S. cities and four federal agencies. Additionally, there were two “other” .gov sites which included Fermi National Accelerator Laboratory, “America’s premier particle physics lab,” and the Child Welfare Information Gateway, which is “a service of the Children's Bureau, Administration for Children and Families, U.S. Department of Health and Human Services.”

U.S. Government Victims (States) U.S. Government Victims (Cities) Texas Board of Veterinary Medical Examiners City of Springfield, Massachusetts Oklahoma State Department of Education City of Pittsburgh, Pennsylvania The South Carolina Public Employee Benefit Authority Town of Newtown, Connecticut Rhode Island Department of Education City of Alexandria, Virginia District Columbia Office of Contracting and Procurement City of Camden, Arkansas District Columbia Office of the Chief Financial Officer City of Sturgis, Michigan Alaska Department of Natural Resources County of Santa Rosa, Florida U.S. Federal Agency victims York County, Pennsylvania Postal Regulatory Commission Virginia Department of Environmental Quality U.S. Department of Housing and Urban Development State of Oklahoma Health Resources and Services Administration Alaska Division of Retirement and Benefits National Oceanic and Atmospheric Administration Louisiana Department of Education Madison County, Alabama “Other” .gov sites Washington State Arts Commission Fermi National Accelerator Laboratory West Virginia Department of Environmental Protection Child Welfare Information Gateway

Rasputin also hit 35 universities, 24 in the U.S., 10 in the U.K. and one in India. Recorded Future actually lists 25 U.S. universities, but a search shows that the University of Delhi is located in New Delhi, India.

U.S. University Victims Cornell University University of the Cumberlands VirginiaTech Oregon College of Oriental Medicine University of Maryland, Baltimore County Humboldt State University University of Pittsburgh The University of North Carolina at Greensboro New York University University of Mount Olive Rice University Michigan State University University of California, Los Angeles Rochester Institute of Technology Eden Theological Seminary University of Tennessee Arizona State University St. Cloud State University NC State University University of Arizona Purdue University University at Buffalo Atlantic Cape Community College University of Washington

The University of Delhi is also listed, but as mentioned previously, Recorded Future noted that it is in the US.

U.K. University Victims University of Cambridge Coleg Gwent University of Oxford University of the Highlands and Islands Architectural Association School of Architecture University of Glasglow University of Chester University of the West of England University of Leeds The University of Edinburgh

All of the attacks were carried out by SQL injection. Instead of using any of the many available SQLi scanners, Recorded Future reported that Rasputin uses an SQLi tool that he developed himself to locate and exploit vulnerable web apps. The attacks are easy to carry out, “but expensive to defend.”

As it is “easy to remediate” the problem, Recorded Future recommended a different carrot and stick incentive. “Despite the government’s penchant for employing sticks to modify behavior, perhaps it’s time to offer financial carrots to address and fully eradicate this issue.”