'Rasputin' Hacks 60 Universities And Government Agencies

News
By Nathaniel Mott
published

Recorded Future revealed that 60 universities and government agencies were targeted by a Russian-speaking hacker dubbed Rasputin. The security company said Rasputin used SQL injection, a common vulnerability found in many popular websites, in a likely bid to steal personal information.

Recorded Future previously identified Rasputin as the hacker selling access to a U.S. Election Assistance Commission (EAC) database in December 2016. Rasputin has now gone after Cornell University, New York University, and other prominent colleges in the United States and UK; U.S. cities and states; and federal agencies such as the U.S. Department of Housing and Urban Development and National Oceanic and Atmospheric Administration.

Here's how Recorded Future connected the dots between these victims:

The EAC database breach was the result of SQL Injection (SQLi), an attack that is technically easy, but expensive to defend. Recorded Future continues to monitor Rasputin’s campaigns, which are now sequentially targeting specific industry verticals. These are intentional targets of choice based on the organization’s perceived investment in security controls and the respective compromised data value. Additionally, these databases are likely to contain significant quantities of users and potentially associated personally identifiable information (PII).

SQLi attacks have "been around since databases first appeared on the internet," Recorded Future said, but they're also "simple to prevent through coding best practices." The problem is that many groups--from tech companies like Yahoo and LinkedIn to the universities and government organizations implicated in this report--don't bother to defend against these attacks. This is the digital equivalent to leaving a door unlocked at night.

So how will this problem be solved? Recorded Future has a few ideas:

An opt-in program for partial corporate tax abatement could be a starting point. Program participation should require quarterly code audits by an approved vendor. Robust governance, risk, and compliance (GRC) programs (e.g., financial services companies) already mandate periodic code reviews, but all verticals need some type of incentive regardless of specific industry regulations. Unfortunately, government fines and/or loss from lawsuits may be the only incentives to prioritize code audits.

The problem echoes the many security vulnerabilities found in Internet of Things (IoT) devices. Manufacturers know how to keep these devices safe, or at least mitigate their risk of being compromised, yet they fail to do so because they lack any financial incentive. People will keep buying IoT products just like they'll keep trusting personal information to sites vulnerable to SQLi attacks. Government regulations might be a potential fix to that problem.

Recorded Future didn't reveal what kind of information might have been compromised by the attacks on these universities and government organizations, but given the amount of personal data these institutions hold, chances are good that Rasputin, whose hacks Recorded Future said are financially motivated, got whatever they were looking for.

Nathaniel Mott
Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

7 Comments Comment from the forums
  • The Paladin
    doubtful true, I checked 9 news casting sources including BBC, NPR and many other and No one has this as a topic.
    Reply
  • LORD_ORION
    Most likely true, 9 fake news fabrication sources including BBC, NPR and many others didn't report this.
    Reply
  • firefoxx04
    Good job Tom's LOL
    Reply
  • JamesSneed
    I get universities might have some issues as they are ran cheep but that statement "The problem is that many groups--from tech companies like Yahoo and LinkedIn" I doubt is true. Most I know of has software to do penetration tests and part of that is testing for SQL injection. I know who I work for does that even for internal applications on the local network. Its rather pathetic these days that people even write code without using bind variables that prevent this in the first place.

    For example placing something like this in the password box: mypass or 1=1

    When the backend query is written it will run a select on the table containing the hash password and 1 always equals 1 so it lets you in. Simply using a bind variable in the code prevents this type of hack as everything in the text box becomes the password i.e. "mypass or 1=1" gets passed as only the password not part of the query.

    Long story this was pathetic crappy code that wasn't penetration tested which is so simple to do today with the various software packages.
    Reply
  • jaber2
    Including TomsHardware.com
    Reply
  • Jim90
    Utterly shocking that some large organisations are still vulnerable to SQLi. This is very easy to prevent (i.e. good coding practices). Additionally, there are numerous free tools they could use to test an online database. How do they think the hacker was able to select them? If these organisations allow things like
    ' OR '1'='1' /*
    in an input box (and there are other injection attack types) to alter a query, and they are holding personal/CC info then they should be accountable in court.
    Reply
  • ddpruitt
    I stopped reading when I hit this line

    The EAC database breach was the result of SQL Injection (SQLi), an attack that is technically easy, but expensive to defend.

    That's such an obvious mistake that I refuse to read the rest. I doubt the veracity of the rest of the story if someone puts out this kind of misinformation.
    Reply