In February 2017, a private threat intelligence firm alerted more than 60 organizations – institutions of higher education and governmental entities – that their internal databases had been breached by a Russian-speaking cybercriminal. The alleged cyberattacker (nicknamed “Rasputin”) has been the suspected culprit in several high-profile incidents, most notably, the recently reported hack and subsequent database sale of the U.S. Election Assistance Commission in November 2016. In this latest series of attacks, Rasputin is not directly selling data stolen from these systems; instead, he is offering to sell access to the systems that have been exploited. That access would allow his purchasers to access and exploit information they find through the malware that he has installed.
Cybersecurity firm Recorded Future noted in its blog post that its researchers became aware of the attack on certain governmental entities in December 2016. Specifically, the firm reported evidence of unauthorized access to databases; Recorded Future did not locate any actual publication or sharing of private data from these databases.
Working with law enforcement officials, the firm discovered additional targets in the field of higher education –more than 30 universities across the U.S. and U.K. Recorded Future notified all affected entities of the potential threats through the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC).
For SQLi to be successful, the attacker must exploit a software security vulnerability. Upon a successful injection, the attacker can bypass the application’s authentication and authorization mechanisms and can retrieve, add, modify or delete any records in the affected database. The attacker can also impersonate specific users of the database. Data breaches caused by SQLi can provide attackers with unauthorized access to sensitive data including PII, personal health information (PHI), trade secrets, intellectual property and other sensitive information. An attacker could also use this unauthorized access to delete academic data or alter account balances. The most troubling aspect of this method is its relative ease of implementation – even an unsophisticated cyberattacker can launch a successful SQLi attack after using commonly available tools to locate systems that have current SQLi vulnerabilities.
Despite these risks, institutions that implement cybersecurity best practices can minimize or eliminate the threat of the most common SQLi attacks. As the threat of cybersecurity breaches continues to grow, institutions should continue to assess the broad range of consequences they could face as a result of a data breach: legal liability, regulatory compliance requirements, and the risk to intellectual property and to the institution’s reputation. As Rasputin and other financially-motivated actors will continue to exploit any area of weakness, colleges and universities, like other organizations, should remain vigilant against such threats and proactively assess their cybersecurity practices.