By Darlene Storm, Computerworld |

About |

Most security news is about insecurity, hacking and cyber threats, bordering on scary. But when security is done right, it's a beautiful thing...sexy even. Security IS sexy.

News Analysis

Hacker breached 63 universities and government agencies

A security firm claims the Russian-speaking hacker Rasputin has breached a total of 63 US and UK universities and US government agencies.

hacker, hack, hacking — Michael Kan/IDGNS

A “Russian-speaking and notorious financially-motivated” hacker known as Rasputin has been at it again, hacking into universities and government agencies this time, before attempting to sell the stolen data on the dark web.

According to the security company Recorded Future, which has been tracking the cybercriminal’s breaches, Rasputin’s most recent victims include 63 “prominent universities and federal, state, and local U.S. government agencies.” The security firm has been following Rasputin’s activity since late 2016 when the hacker reportedly breached the U.S. Electoral Assistance Commission and then sold EAC access credentials.

Recorded Future claims that Rasputin’s victims are “intentional targets of choice based on the organization’s perceived investment in security controls and the respective compromised data value. Additionally, these databases are likely to contain significant quantities of users and potentially associated personally identifiable information (PII).”

All of the hacked agencies and universities have been notified about the breaches by Recorded Future. There were 16 U.S. state government victims, 6 U.S. cities and four federal agencies. Additionally, there were two “other” .gov sites which included Fermi National Accelerator Laboratory, “America’s premier particle physics lab,” and the Child Welfare Information Gateway, which is “a service of the Children's Bureau, Administration for Children and Families, U.S. Department of Health and Human Services.”

U.S. Government Victims (States)	U.S. Government Victims (Cities)
Texas Board of Veterinary Medical Examiners	City of Springfield, Massachusetts
Oklahoma State Department of Education	City of Pittsburgh, Pennsylvania
The South Carolina Public Employee Benefit Authority	Town of Newtown, Connecticut
Rhode Island Department of Education	City of Alexandria, Virginia
District Columbia Office of Contracting and Procurement	City of Camden, Arkansas
District Columbia Office of the Chief Financial Officer	City of Sturgis, Michigan
Alaska Department of Natural Resources
County of Santa Rosa, Florida	U.S. Federal Agency victims
York County, Pennsylvania	Postal Regulatory Commission
Virginia Department of Environmental Quality	U.S. Department of Housing and Urban Development
State of Oklahoma	Health Resources and Services Administration
Alaska Division of Retirement and Benefits	National Oceanic and Atmospheric Administration
Louisiana Department of Education
Madison County, Alabama	“Other” .gov sites
Washington State Arts Commission	Fermi National Accelerator Laboratory
West Virginia Department of Environmental Protection	Child Welfare Information Gateway

Rasputin also hit 35 universities, 24 in the U.S., 10 in the U.K. and one in India. Recorded Future actually lists 25 U.S. universities, but a search shows that the University of Delhi is located in New Delhi, India.

U.S. University Victims
	Cornell University	University of the Cumberlands
	VirginiaTech	Oregon College of Oriental Medicine
	University of Maryland, Baltimore County	Humboldt State University
	University of Pittsburgh	The University of North Carolina at Greensboro
	New York University	University of Mount Olive
	Rice University	Michigan State University
	University of California, Los Angeles	Rochester Institute of Technology
	Eden Theological Seminary	University of Tennessee
	Arizona State University	St. Cloud State University
	NC State University	University of Arizona
	Purdue University	University at Buffalo
	Atlantic Cape Community College	University of Washington

The University of Delhi is also listed, but as mentioned previously, Recorded Future noted that it is in the US.

U.K. University Victims
	University of Cambridge	Coleg Gwent
	University of Oxford	University of the Highlands and Islands
	Architectural Association School of Architecture	University of Glasglow
	University of Chester	University of the West of England
	University of Leeds	The University of Edinburgh

All of the attacks were carried out by SQL injection. Instead of using any of the many available SQLi scanners, Recorded Future reported that Rasputin uses an SQLi tool that he developed himself to locate and exploit vulnerable web apps. The attacks are easy to carry out, “but expensive to defend.”

As it is “easy to remediate” the problem, Recorded Future recommended a different carrot and stick incentive. “Despite the government’s penchant for employing sticks to modify behavior, perhaps it’s time to offer financial carrots to address and fully eradicate this issue.”

Darlene Storm (not her real name) is a freelance writer with a background in information technology and information security.

Bing’s AI chatbot came to work for me. I had to fire it.