Penn State University President Eric J. Barron announced Friday that the university disconnected its networks from the public Internet after sustaining an intrusion into the College of Engineering that had lasted longer than two years. It will be a matter of days before Penn State brings its networks back online.
Penn State became aware of the attack, which is believed to have been ongoing since at least September 2012, after the FBI alerted the school in November 2014. The FBI warned of “a cyberattack of unknown origin and scope” perpetuated by “an outside entity” targeting the engineering school.
The university hired network forensics and incident response firm, Mandiant, whose network analysis revealed the presence of two advanced threat actors within the networks of Penn State’s engineering college. The groups deployed custom malware to maintain a persistent, unseen presence on the engineering school’s network. At least one of those threat actors, Penn State has announced, is believed to be of Chinese origin.
Despite achieving more than two years of undetected network access, Penn State claims the attackers did not steal any proprietary or sensitive research information, nor did attackers steal any personally identifiable information — such as credit cards and Social Security numbers — from students, faculty or staff. That claim is undercut by the school’s admission that it is notifying 18,000 individuals that there was a file containing their Social Security numbers in plain text on an affected machine.
In fact, Penn State insists that attackers stole only network access credentials from the school of engineering. Attackers used some of these credentials to access the school’s networks. Engineering college faculty, staff and students are being required to change passwords, and anyone who wishes to access school resources via VPN will need to set up two-factor authentication.
Penn State, which waited seven months to disclose the attack, did not specify how the attackers compromised the engineering department’s systems in any statements.
Threatpost reached out to the university, but it did not respond to a request for comment before publication.
“In order to protect the college’s network infrastructure as well as research data from a malicious attack, it was important that the attackers remained unaware of our efforts to investigate and prepare for a full-scale remediation,” the school explained in a FAQ. “Any abnormal activity by individual users may have induced additional unwelcome activity, potentially making the situation even worse.”
The university estimates that it has spent roughly $2.85 million responding to the attacks. Some $450,000 were paid to external experts while the remaining $2.4 million was spent replacing infected hardware.