Recorded Future revealed that 60 universities and government agencies were targeted by a Russian-speaking hacker dubbed Rasputin. The security company said Rasputin used SQL injection, a common vulnerability found in many popular websites, in a likely bid to steal personal information.
Recorded Future previously identified Rasputin as the hacker selling access to a U.S. Election Assistance Commission (EAC) database in December 2016. Rasputin has now gone after Cornell University, New York University, and other prominent colleges in the United States and UK; U.S. cities and states; and federal agencies such as the U.S. Department of Housing and Urban Development and National Oceanic and Atmospheric Administration.
Here's how Recorded Future connected the dots between these victims:
The EAC database breach was the result of SQL Injection (SQLi), an attack that is technically easy, but expensive to defend. Recorded Future continues to monitor Rasputin’s campaigns, which are now sequentially targeting specific industry verticals. These are intentional targets of choice based on the organization’s perceived investment in security controls and the respective compromised data value. Additionally, these databases are likely to contain significant quantities of users and potentially associated personally identifiable information (PII).
SQLi attacks have "been around since databases first appeared on the internet," Recorded Future said, but they're also "simple to prevent through coding best practices." The problem is that many groups--from tech companies like Yahoo and LinkedIn to the universities and government organizations implicated in this report--don't bother to defend against these attacks. This is the digital equivalent to leaving a door unlocked at night.
So how will this problem be solved? Recorded Future has a few ideas:
An opt-in program for partial corporate tax abatement could be a starting point. Program participation should require quarterly code audits by an approved vendor. Robust governance, risk, and compliance (GRC) programs (e.g., financial services companies) already mandate periodic code reviews, but all verticals need some type of incentive regardless of specific industry regulations. Unfortunately, government fines and/or loss from lawsuits may be the only incentives to prioritize code audits.
The problem echoes the many security vulnerabilities found in Internet of Things (IoT) devices. Manufacturers know how to keep these devices safe, or at least mitigate their risk of being compromised, yet they fail to do so because they lack any financial incentive. People will keep buying IoT products just like they'll keep trusting personal information to sites vulnerable to SQLi attacks. Government regulations might be a potential fix to that problem.
Recorded Future didn't reveal what kind of information might have been compromised by the attacks on these universities and government organizations, but given the amount of personal data these institutions hold, chances are good that Rasputin, whose hacks Recorded Future said are financially motivated, got whatever they were looking for.