China Blamed for Penn State BreachHackers Remained Undetected for More than Two Years
Penn State University's College of Engineering computer network has been victimized by two sophisticated cyberattacks, with at least one originating from China.
The university revealed the breaches on May 15, although the FBI notified the school of the attacks on Nov. 21. An investigation by the cybersecurity firm Mandiant concluded that the first intrusion occurred as early as September 2012, with one of the attacks originating in China.
Penn State said there is no evidence that either research data or personally identifiable information had been stolen. Still, investigators concluded that a number of College of Engineering-issued usernames and passwords were compromised. Penn State is notifying about 18,000 individuals whose PII is believed to have been exposed, and is offering them one year of free credit monitoring.
The university says it disconnected the engineering college's network from the Internet, and a large-scale operation is underway over the weekend to recover all systems.
How the Breaches Occurred
Hackers orchestrated covert, targeted attacks to gain access to a system and then employed sophisticated evasion techniques to remain undetected, sometimes for years, according to a Q&A posted on a Penn State website. "We did not identify the initial vulnerability that the attacker exploited to gain access to Penn State," says Marcus Robinson, Penn State communications director. "Once the attackers gained initial access, they used a combination of modified publicly available tools/malware and custom malware. The custom malware was not publicly available, but variants of malware we have seen the attack group use in other intrusions."
Penn State delayed publicizing the breach, in part, to keep the attackers off guard. "It was important that the attackers remained unaware of our efforts to investigate and prepare for a full-scale remediation," says Nicholas Jones, executive vice president and provost at Penn State. "Any abnormal action by individual users could have induced additional unwelcome activity, potentially making the situation even worse."
The university says it's notifying about 500 public and private research partners who have executed contracts with College of Engineering faculty since September 2012, despite the contention that no research data were compromised.
University systems are seen as ideal targets for hackers. "As we have seen in the news over the past two years, well-funded and highly skilled cybercriminals have become brazen in their attacks on a wide range of businesses and government agencies, likely in search of sensitive information and intellectual property," Penn State President Eric Barron said in a letter to the university community.
Ken Westin, senior security analyst for the IT security firm Tripwire, says intellectual property was the likely target given that the hackers targeted the engineering department. "Many times there is deep collaboration between higher education and private industry to commercialize research, and this combined with the fact that higher education generally lacks the resources to develop a strong security posture makes them a high value target for sophisticated attackers," Westin says.
Penn State, like many large research universities, has a number of multimillion dollar contracts with the Defense Department, and getting information about those projects might prove attractive to China, which the U.S. government has alleged pilfers military and corporate trade secrets over the Internet.
"Large research universities that do a lot of this development of sensitive technology would be pretty good targets for the hackers - who are sponsored by other governments, including China, that want to get to that information," says security and privacy expert Rebecca Herold, chief executive of The Privacy Professor.
New Passwords Being Issued
Though a small fraction of compromised accounts had been used by the attackers to access the network, the university said, all College of Engineering faculty and staff at the main campus, as well as students at all Penn State campuses who recently have taken at least one engineering course, will be required to choose new passwords. Faculty and staff who seek remote access to the system through a virtual private network will be required to use two-factor authentication to sign in.
Penn State said the entire university system "repelled more than 22 million overtly hostile cyberattacks from around the world" on an average day last year. "However, in this case we are dealing with the highest level of sophistication," said Vice Provost for Information Technology Kevin Morooney. "Unfortunately, we now live in an environment where no computer network can ever be completely, 100 percent secure."
Morooney said the university will launch a comprehensive review of all related IT security practices and procedures.