Massive cyberattack by Chinese government hackers on Penn State College of Engineering

The investigation revealed the presence of two previously undetected, sophisticated threat actors on the college’s network. Mandiant has confirmed that at least one of the two attacks came from a threat actor based in China, which used advanced malware to attack systems in the college. The investigation has revealed that the earliest known date of intrusion is September 2012.

“Penn State should be commended for acting quickly to address these breaches, immediately launching a comprehensive internal investigation into the FBI’s report and retaining leading third-party computer forensic experts to assist in the investigation,” said Nick Bennett, Mandiant senior manager, professional services. “Advanced cyberattacks like this — sophisticated, difficult to detect and often linked to international threat actors — are ‘the new normal.’ No company or organization is immune — the world’s leading banks, energy companies, retailers and educational institutions have all been and will be targets.”

“This was an advanced attack against our College of Engineering by very sophisticated threat actors,” said Penn State president Eric Barron in a letter to the Penn State community. “This is an incredibly serious situation, and we are devoting all necessary resources to help the college recover as quickly as possible; minimize the disruption and inconvenience to engineering faculty, staff and students; and to harden Penn State’s networks against this constantly evolving threat.”

“As we have seen in the news over the past two years, well-funded and highly skilled cybercriminals have become brazen in their attacks on a wide range of businesses and government agencies, likely in search of sensitive information and intellectual property.

“In several days, our College of Engineering will emerge from this unprecedented attack with a stouter security posture, and engineering faculty, staff and students will need to learn to work under new and stricter computer security protocols. In the coming months, significant changes in IT security policy will be rolled out across the University, and all of us as Penn Staters will need to change the way we operate in the face of these new and significant challenges. This new threat must be faced head-on, not just by Penn State but by every large university, business and government the world over. This is a new era in the digital age, one that will require even greater vigilance from everyone.”

There is no evidence to suggest that research data or personally identifiable information (such as Social Security or credit card numbers) have been stolen, however, investigators do have direct evidence that a number of College of Engineering-issued usernames and passwords have been compromised. While investigators have found that only a small number of these accounts have been used by the attackers to access the network, as a precaution and beginning immediately, all College of Engineering faculty and staff at University Park, as well as students at all Penn State campuses who recently have taken at least one engineering course, will be required to choose new passwords for their Penn State access accounts.

Penn States notes that engineering faculty and staff also will need to choose new passwords for their college-issued access accounts, and faculty and staff who wish to access college resources remotely via a VPN connection will be required to sign up for two-factor authentication.

Password reset instructions and more information will be emailed directly to all affected individuals, and also is available at http://SecurePennState.psu.edu/.

In addition, while the network is in recovery over the coming days, faculty and staff in the college will have limited access to their College of Engineering email (any e-mail address ending with “@engr.psu.edu”), and other network-based services may be unavailable.

University-wide services, such as ESSIC, UCS, eLion and Angel, and Webmail for students, will continue to be available to those in the college via the campus-wide PSU wireless network.

The university urges faculty, staff, and students in engineering to go here to learn about the steps they need to take, and the services that will be available to them, during the recovery period.

College faculty, staff, and students are urged to visit http://SecurePennState.psu.edu/ to learn more about steps they need to take during the recovery period. Regular updates will be shared at this address.

In conjunction with the conclusion of the internal investigation, University officials are now in the process of notifying about 18,000 individuals whose personally identifiable information (primarily Social Security numbers) was discovered in files that were stored on several affected machines in the College of Engineering. Though there is no evidence that this information was stolen by the perpetrators, out of an abundance of caution, Penn State has offered one year of free credit monitoring to all who have been affected.

Penn State’s Office of the Vice President for Research is also notifying about 500 public and private research partners who have executed contracts with College of Engineering faculty since September 2012, the earliest known date of compromise. While there is no evidence to suggest that any research data were compromised during this time, Penn State is nevertheless proactively notifying all research partners who have recently contracted with the college.

Challenging global cybersecurity environment
The release notes that across the country and around the world, large organizations (including corporations, governments and others) are under constant threat of cyberattack. In fact, on an average day last year, Penn State alone repelled more than twenty-two million overtly hostile cyberattacks from around the world. Though the College of Engineering was the specific target of these attacks, Penn State Vice Provost for Information Technology Kevin Morooney stressed that the same information security and intrusion detection practices that are followed in the college are followed across the University and by many of its peers nationwide.

“At Penn State, our information security protocols and practices help us to turn back millions of malicious computer attacks against the University every day. However, in this case we are dealing with the highest level of sophistication. Unfortunately, we now live in an environment where no computer network can ever be completely, 100 percent secure,” Morooney said.

“In light of increasingly hostile and coordinated threats against large organizations around the world, we are launching a comprehensive review of all related IT security practices and procedures at Penn State,” Morooney said. “As this review continues, we will keep in mind our intrinsic need as a university to be an open environment for learning and collaboration, while at the same time acknowledging the need to further strengthen our security posture to marginalize cybercrime.”

As the first step in this process, University administrators say they also have accelerated plans to implement an enhanced login protocol known as two-factor authentication. The College of Engineering will immediately join administrative areas that have access to core University infrastructure or mission-critical online services as early adopters. Later this year, this security feature will be rolled out University-wide.

What can faculty, staff and students do?
Faculty, staff, and students in the College of Engineering are encouraged to visit http://securepennstate.psu.edu/http://SecurePennState.psu.edu/%20for the latest information about steps they will need to take as the college recovers from the attack.

This Web site also includes general information for all members of the Penn State community, including steps that all can take to protect their critical information, above and beyond the protections that already are in place.