Penn State University recently disconnected the computer network for the College of Engineering from the Internet in response to what it described as “two sophisticated cyberattacks conducted by so-called ‘advanced persistent threat’ actors.”
“Contingency plans are in place to allow engineering faculty, staff and students to continue as much of their work as possible while significant steps are taken to upgrade affected computer hardware and fortify the network against future attacks,” the university said in a statement. “The outage is expected to last for several days, and the effects of the recovery will largely be limited to the College of Engineering.”
On November 21, 2014, according to the university, the FBI alerted Penn State to a cyber attack on the College of Engineering network. The university then hired Mandiant to investigate the attack, and uncovered two previously undetected threat actors on the College’s network, at least one of which came from China. The earliest known date of intrusion was September 2012.
“In order to protect the college’s network infrastructure as well as critical research data from a malicious attack, it was important that the attackers remained unaware of our efforts to investigate and prepare for a full-scale remediation,” Penn State president Eric J. Barron wrote in a letter to faculty, staff and students. “Any abnormal action by individual users could have induced additional unwelcome activity, potentially making the situation even worse.”
“This is an incredibly serious situation, and we are devoting all necessary resources to help the college recover as quickly as possible; minimize the disruption and inconvenience to engineering faculty, staff and students; and to harden Penn State’s networks against this constantly evolving threat,” Barron added.
The attackers compromised several College of Engineering user names and passwords, and used some of those credentials to access the network. All College of Engineering passwords have been reset in response.
University officials are also notifying approximately 18,000 people whose Social Security numbers and other personal information were found in files stored on compromised machines at the College of Engineering. While there’s no evidence at this point that the data was accessed by the attackers, all those affected are being offered one free year of access to credit monitoring services.
The university’s Office of the Vice President for Research is also notifying about 500 public and private research partners whose data was found on affected computers.
“At Penn State our information security protocols and practices help us to turn back millions of malicious computer attacks against the University every day,” Penn Stative vice provost for information technology Kevin Morooney said in a statement. “However, in this case we are dealing with the highest level of sophistication. Unfortunately, we now live in an environment where no computer network can ever be completely, 100 percent secure.”
“In light of increasingly hostile and coordinated threats against large organizations around the world, we are lauching a comprehensive review of all related IT security practices and procedures at Penn State,” Morooney added.
Since it’s rare for cyber espionage campaigns to target only one instutition, Tripwire senior security analyst Ken Westin said the Penn State breach should serve as an urgent wake-up call for other colleges and universities. “Given that the group was targeting engineering departments it’s pretty clear that the attacker were looking for intellectual property,” he said.
“Many times there is deep collaboration between higher education and private industry to commercialize research, and this combined with the fact that higher education generally lacks the resources to develop a strong security posture makes them a high value target for sophisticated attackers,” Westin added.