Hacker breached 63 universities and government agencies

A security firm claims the Russian-speaking hacker Rasputin has breached a total of 63 US and UK universities and US government agencies.

hacker, hack, hacking
Credit: Michael Kan

A “Russian-speaking and notorious financially-motivated” hacker known as Rasputin has been at it again, hacking into universities and government agencies this time, before attempting to sell the stolen data on the dark web.

According to the security company Recorded Future, which has been tracking the cybercriminal’s breaches, Rasputin’s most recent victims include 63 “prominent universities and federal, state, and local U.S. government agencies.” The security firm has been following Rasputin’s activity since late 2016 when the hacker reportedly breached the U.S. Electoral Assistance Commission and then sold EAC access credentials.

Recorded Future claims that Rasputin’s victims are “intentional targets of choice based on the organization’s perceived investment in security controls and the respective compromised data value. Additionally, these databases are likely to contain significant quantities of users and potentially associated personally identifiable information (PII).”

All of the hacked agencies and universities have been notified about the breaches by Recorded Future. There were 16 U.S. state government victims, 6 U.S. cities and four federal agencies. Additionally, there were two “other” .gov sites which included Fermi National Accelerator Laboratory, “America’s premier particle physics lab,” and the Child Welfare Information Gateway, which is “a service of the Children's Bureau, Administration for Children and Families, U.S. Department of Health and Human Services.”

U.S. Government Victims (States)
U.S. Government Victims (Cities)
Texas Board of Veterinary Medical Examiners
City of Springfield, Massachusetts
Oklahoma State Department of Education
City of Pittsburgh, Pennsylvania
The South Carolina Public Employee Benefit Authority
Town of Newtown, Connecticut
Rhode Island Department of Education
City of Alexandria, Virginia
District Columbia Office of Contracting and Procurement
City of Camden, Arkansas
District Columbia Office of the Chief Financial Officer
City of Sturgis, Michigan
Alaska Department of Natural Resources
 
County of Santa Rosa, Florida
U.S. Federal Agency victims
York County, Pennsylvania
Postal Regulatory Commission
Virginia Department of Environmental Quality
U.S. Department of Housing and Urban Development
State of Oklahoma
Health Resources and Services Administration
Alaska Division of Retirement and Benefits
National Oceanic and Atmospheric Administration
Louisiana Department of Education
 
Madison County, Alabama
“Other” .gov sites
Washington State Arts Commission
Fermi National Accelerator Laboratory
West Virginia Department of Environmental Protection
Child Welfare Information Gateway

Rasputin also hit 35 universities, 24 in the U.S., 10 in the U.K. and one in India. Recorded Future actually lists 25 U.S. universities, but a search shows that the University of Delhi is located in New Delhi, India.

U.S. University Victims
 
Cornell University
University of the Cumberlands
 
 
VirginiaTech
Oregon College of Oriental Medicine
 
 
University of Maryland, Baltimore County
Humboldt State University
 
 
University of Pittsburgh
The University of North Carolina at Greensboro
 
 
New York University
University of Mount Olive
 
 
Rice University
Michigan State University
 
 
University of California, Los Angeles
Rochester Institute of Technology
 
 
Eden Theological Seminary
University of Tennessee
 
 
Arizona State University
St. Cloud State University
 
 
NC State University
University of Arizona
 
 
Purdue University
University at Buffalo
 
 
Atlantic Cape Community College
University of Washington
 

The University of Delhi is also listed, but as mentioned previously, Recorded Future noted that it is in the US.

U.K. University Victims
 
University of Cambridge
Coleg Gwent
 
 
University of Oxford
University of the Highlands and Islands
 
 
Architectural Association School of Architecture
University of Glasglow
 
 
University of Chester
University of the West of England
 
 
University of Leeds
The University of Edinburgh
 

All of the attacks were carried out by SQL injection. Instead of using any of the many available SQLi scanners, Recorded Future reported that Rasputin uses an SQLi tool that he developed himself to locate and exploit vulnerable web apps. The attacks are easy to carry out, “but expensive to defend.”

As it is “easy to remediate” the problem, Recorded Future recommended a different carrot and stick incentive. “Despite the government’s penchant for employing sticks to modify behavior, perhaps it’s time to offer financial carrots to address and fully eradicate this issue.”

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
4 high-growth tech fields with top pay
Shop Tech Products at Amazon