Nicholas Bogel-Burroughs / Sun Staff Writer

State-sponsored hackers remained undetected for months in the School of Industrial and Labor Relations in the largest ever state-sponsored cyber attack on the University, senior information technology administrators told The Sun.

February 21, 2017

Hacker ‘Rasputin’ Breaches Cornell, Attempts to Sell Access

Print More

A notorious Russian-speaking hacker has breached more than 60 universities and agencies — including Cornell University — and is attempting to sell unauthorized access to the agencies for profit, according to a report from a private internet intelligence company.

The list of victims, published by Recorded Future, ranges from the City of Pittsburgh to the National Oceanic and Atmospheric Administration to 25 universities including New York University, Rochester Institute of Technology, the University of Oxford and Cornell.

A Russian-speaking hacker, dubbed Rasputin, is behind the breaches, according to Recorded Future, and is attempting to sell access to the victims’ networks for economic gain.

Wyman Miles, chief information security officer at Cornell, referred inquiries to Director of Media Relations John Carberry, who declined to comment on the breach.

Cornell also declined to comment in December on a foreign-government sponsored hack of the ILR School in 2014, which IT administrators said was the biggest state-sponsored cyber breach of Cornell ever, The Sun previously reported.

The same method used in the ILR School breach — SQL injection, in which instructions are entered into a website’s data field — was used in the most recent breaches, according to Recorded Future. There is no indication that Rasputin was behind the 2014 hack of Cornell.

The FBI, which also declined to comment for this article, helped notify at least one university that it had fallen prey to Rasputin, who reportedly also attempted to sell access to the U.S. Election Assistance Commission in 2016.

Michael Story, interim chief information security officer at the University of California, Los Angeles, which is on list of breached universities, told The Sun that the long list of hacked agencies is sure to raise eyebrows, but provides little information about the severity and context of the hacks.

UCLA had already fixed its breached website by the time Recorded Future published its report, Story said.

“We had already remediated the site. … The site was a trivial site that didn’t have any valuable data.”

Cornell has not disclosed any details of the hack, including its severity and which departments or websites were affected, making it impossible to know the seriousness of the hacker’s breach of Cornell or if the vulnerability has been fixed.

More than 60 government agencies and universities — ranging from the City of Pittsburgh to the University of Oxford — were breached by Rasputin

Recorded Future

More than 60 government agencies and universities — ranging from the City of Pittsburgh to the University of Oxford — were breached by Rasputin.

Marc Hoit, vice chancellor and chief information officer at North Carolina State University, told The Sun in an email that one site at NC State was breached and taken down. The site was rebuilt, patched and is now up and running, he said.

“No real damage and it was a minor site,” Hoit said in an email.

Robert Pruett, the director of technology support at The University of Mount Olive — a small, private college in North Carolina that was also breached by Rasputin — said the hacker had only managed to infiltrate an old survey website that had little, if any, information.

“We’re in the same boat as RIT, so we shouldn’t feel bad,” Pruett said, referring to the prestigious technology university in Rochester. “We had a SQL injection [breach] on a survey data program. That’s the extent of the breach on us.”

Pruett said the FBI, and not Recorded Future, notified The University of Mount Olive directly, and when they informed the university that there had been a breach, the technology team was able to find and patch the vulnerability.

When Recorded Future determined that universities were one of the major groups targeted by Rasputin, it contacted the Research Education Networking Information Sharing and Analysis Center (REN-ISAC), which has 543 member institutions, on Feb. 7 to ensure schools were aware of the hack.

Scott Finlon, principal security engineer for REN-ISAC, said Recorded Future sent the center a list of website addresses of universities that were breached as part of the Rasputin hack and REN-ISAC passed them along to the affected schools.

Humboldt State University in northern California was also a victim of Rasputin, but the university said IT staff quickly patched the vulnerability after they were notified on Feb. 8 and no confidential data was accessed.

A training website that was in partial use by the human resources department contained a bug that allowed external visitors to view registration information, the university’s IT department said in a statement.

St. Cloud State University, a public university in Minnesota that enrolls about 15,000, was also breached by Rasputin.

Darrin Printy, senior IT security program lead at the university, told The Sun the hack does not appear to be serious, although the University is still investigating.

“So far, it seems to be minor,” Printy said. “We’re still trying to understand what’s really going on and why we made the list.”

Printy said he learned of the breach from Recorded Future, but the company’s notification letter included few more details than that the company was going to publish a list and St. Cloud State University was going to be on it. Printy has since reached out for more information, he said, but received little back.

The hacker’s method, SQL injection, is a popular way to infiltrate websites and there are many free applications available to detect vulnerabilities.

Rasputin, however, is using a proprietary application he developed to find and exploit these coding flaws, according to Recorded Future.

Cornell was first contacted for comment on Friday and did not respond to additional requests for comment Tuesday.