Penn State has been targeted in a cybersecurity attack that could have compromised the information of as many as 18,000 individuals and 500 organizations.
In an interview with the Centre Daily Times on Friday, the university confirmed “two highly sophisticated cyber attacks” that targeted the College of Engineering’s computer system.
According to Provost Nick Jones, Penn State was made aware of the attacks Nov. 21, 2014, when the FBI alerted the university about an “outside entity attack.”
That precipitated an investigation, both internal with university personnel and experts, and external, with outside firms like Mandiant, tracing the intrusion. “Two previously undetected” attacks were revealed, the earliest having been in September 2012.
In a press conference later, officials clarified that the two intrusions actually constitute months of access. In one case, the system was open to an outside actor from September 2012 to noon Friday. In the other, a second actor had access from July 2014 until Friday.
“Over the months since we were notified, we have invested tens of thousands of person hours in both investigating and preparing for mediation,” Jones said. “We have invested several million dollars already just in responding to this incident and remediation. I anticipate we will have to invest more. We are a big university and we will have to learn and make the whole university more secure.”
The announcement comes as the university is addressing the problem, taking the computer system off of the Internet and addressing in a “large-scale effort,” a move they say could not be done until it was specifically coordinated.
Why? Mandiant’s Nick Bennett says it was to keep the intruders in the dark until the last minute, rather than plugging one hole, tipping them that the access had been detected and sending them off to find another unknown entry.
And who are those intruders?
“Based on our intelligence, we believe they are based in China,” Bennett said. When asked if that meant the Chinese government or individuals within China, he said they did not have that level of “granularity.” However, Bennett said that actor has been known to target intellectual property in the aerospace and defense industries.
The identify of the second actor is unknown.
Penn State is the recipient of millions of dollars in federal grant projects annually. The university has had four consecutive years topping $800 million in research across all of its programs and has recently touted that continued success despite economic downturns as a sign of confidence in the quality of research.
Jones said he does not think the attack jeopardizes the university’s reputation in those areas moving forward.
“We have contractual obligations relative to notifying entities in the event of a breach. We believe we have fully met those contractual obligations,” he said. “Most in this community understand that these are the threats that we are all facing, otherwise companies like Mandiant wouldn’t exist. I believe we will be successful in convincing our sponsors that we are taking all necessary steps and measures.”
A chunk of that goes to research being performed at the Applied Research Lab, a University Center for Excellence that addresses naval science, systems engineering and technologies. Although early information had suggested it was ARL, which was awarded a 10-year, $835 million defense contract in 2012, that was targeted, the university was adamant that was not the case.
“We did not uncover any evidence of lateral movement from the College of Engineering to ARL,” said Bennett, who said the two are separated by “network-based controls.”
At noon Thursday, College of Engineering Web pages were all offline. ARL’s was still active.
Bennett said the data targeted were user names and passwords, and there is “no direct evidence of any other data theft.”
However, the 18,000 individuals affected are being referred to SecurePennState.psu.edu. President Eric Barron also issued a letter to the Penn State community on the issue.
“In several days, our College of Engineering will emerge from this unprecedented attack with a stouter security posture, and faculty, staff and students in the college will need to learn to work under new and stricter computer security protocols,” he wrote.
“This is a global problem and State College is not immune from it,” said cybersecurity expert Scott Johnson of Trailblazer International in State College and former deputy assistant director of the U.S. Secret Service.
“This is a problem that exists across a large variety of institutions. It’s not an isolated incident. It’s part of a pattern of many different breaches,” he said.
The university still stands by the idea that, despite the breach, its security is top-notch in reference to its servers, data and 200,000 or so computers.
“Our strong information security protocols repel 22 million hostile probes every day,” Jones said, adding that the new age of cyber attacks “requires even great vigilance.”