UNIVERSITY PARK, Pa. – The Penn State College of Engineering has been the target of two sophisticated cyberattacks conducted by so-called “advanced persistent threat” actors, University officials announced today. The FireEye cybersecurity forensic unit Mandiant, which was hired by Penn State after the breach was discovered, has confirmed that at least one of the two attacks was carried out by a threat actor based in China, using advanced malware to attack systems in the college.
In a coordinated and deliberate response by Penn State, the College of Engineering’s computer network has been disconnected from the Internet and a large-scale operation to securely recover all systems is underway. Contingency plans are in place to allow engineering faculty, staff and students to continue in as much of their work as possible while significant steps are taken to upgrade affected computer hardware and fortify the network against future attack. The outage is expected to last for several days, and the effects of the recovery will largely be limited to the College of Engineering.
To learn more about the incident, including information for affected faculty, staff and students, visit http://SecurePennState.psu.edu/.
What has happened?
On Nov. 21, 2014, Penn State was alerted by the FBI to a cyberattack of unknown origin and scope on the College of Engineering network by an outside entity. As soon as the University became aware of the alleged attack, security experts from Penn State began working immediately to identify the nature of the possible attack and to take appropriate action, including the enlistment of third-party experts, chief among them Mandiant. An intensive investigation has taken place across the College of Engineering computer network since that time.
As soon as the FBI alert was received, University leadership reached out selectively to key administrators, academic leaders and IT professionals in the College of Engineering and a full-scale investigation of the college’s network began. College IT professionals also have taken steps to preserve critical data.
“In order to protect the college’s network infrastructure as well as critical research data from a malicious attack, it was important that the attackers remained unaware of our efforts to investigate and prepare for a full-scale remediation,” said Nicholas P. Jones, executive vice president and provost at Penn State. “Any abnormal action by individual users could have induced additional unwelcome activity, potentially making the situation even worse.”
The investigation revealed the presence of two previously undetected, sophisticated threat actors on the college’s network. Mandiant has confirmed that at least one of the two attacks came from a threat actor based in China, which used advanced malware to attack systems in the college. The investigation has revealed that the earliest known date of intrusion is September 2012.
“Penn State should be commended for acting quickly to address these breaches, immediately launching a comprehensive internal investigation into the FBI’s report and retaining leading third-party computer forensic experts to assist in the investigation,” said Nick Bennett, Mandiant senior manager, professional services. “Advanced cyber attacks like this -- sophisticated, difficult to detect and often linked to international threat actors -- are ‘the new normal.’ No company or organization is immune -- the world’s leading banks, energy companies, retailers and educational institutions have all been and will be targets.”
“This was an advanced attack against our College of Engineering by very sophisticated threat actors,” said Penn State President Eric Barron in a letter to the Penn State community. “This is an incredibly serious situation, and we are devoting all necessary resources to help the college recover as quickly as possible; minimize the disruption and inconvenience to engineering faculty, staff and students; and to harden Penn State’s networks against this constantly evolving threat.”
“As we have seen in the news over the past two years, well-funded and highly skilled cybercriminals have become brazen in their attacks on a wide range of businesses and government agencies, likely in search of sensitive information and intellectual property.
“In several days, our College of Engineering will emerge from this unprecedented attack with a stouter security posture, and engineering faculty, staff and students will need to learn to work under new and stricter computer security protocols. In the coming months, significant changes in IT security policy will be rolled out across the University, and all of us as Penn Staters will need to change the way we operate in the face of these new and significant challenges. This new threat must be faced head-on, not just by Penn State but by every large university, business and government the world over. This is a new era in the digital age, one that will require even greater vigilance from everyone.”
There is no evidence to suggest that research data or personally identifiable information (such as Social Security or credit card numbers) have been stolen, however, investigators do have direct evidence that a number of College of Engineering-issued usernames and passwords have been compromised. While investigators have found that only a small number of these accounts have been used by the attackers to access the network, as a precaution and beginning immediately, all College of Engineering faculty and staff at University Park, as well as students at all Penn State campuses who recently have taken at least one engineering course, will be required to choose new passwords for their Penn State access accounts.
Engineering faculty and staff also will need to choose new passwords for their college-issued access accounts, and faculty and staff who wish to access college resources remotely via a VPN connection will be required to sign up for two-factor authentication.
Password reset instructions and more information will be emailed directly to all affected individuals, and also is available at http://SecurePennState.psu.edu/.
In addition, while the network is in recovery over the coming days, faculty and staff in the college will have limited access to their College of Engineering email (any email address ending with “@engr.psu.edu”), and other network-based services may be unavailable. University-wide services, such as ESSIC, UCS, eLion and Angel, and Webmail for students, will continue to be available to those in the college via the campus-wide PSU wireless network.
FACULTY, STAFF and STUDENTS IN ENGINEERING: Click here to learn about the steps you need to take, and the services that will be available to you, during the recovery period.
College faculty, staff and students are urged to visit http://SecurePennState.psu.edu/ to learn more about steps they need to take during the recovery period. Regular updates will be shared at this address.
In conjunction with the conclusion of the internal investigation, University officials are now in the process of notifying about 18,000 individuals whose personally identifiable information (primarily Social Security numbers) was discovered in files that were stored on several affected machines in the College of Engineering. Though there is no evidence that this information was stolen by the perpetrators, out of an abundance of caution, Penn State has offered one year of free credit monitoring to all who have been affected.
Penn State’s Office of the Vice President for Research is also notifying about about 500 public and private research partners who have executed contracts with College of Engineering faculty since September 2012, the earliest known date of compromise. While there is no evidence to suggest that any research data were compromised during this time, Penn State is nevertheless proactively notifying all research partners who have recently contracted with the college.
Challenging global cybersecurity environment
Across the country and around the world, large organizations (including corporations, governments and others) are under constant threat of cyberattack. In fact, on an average day last year, Penn State alone repelled more than 22 million overtly hostile cyberattacks from around the world. Though the College of Engineering was the specific target of these attacks, Penn State Vice Provost for Information Technology Kevin Morooney stressed that the same information security and intrusion detection practices that are followed in the college are followed across the University and by many of its peers nationwide.
“At Penn State, our information security protocols and practices help us to turn back millions of malicious computer attacks against the University every day. However, in this case we are dealing with the highest level of sophistication. Unfortunately, we now live in an environment where no computer network can ever be completely, 100 percent secure,” Morooney said.
“In light of increasingly hostile and coordinated threats against large organizations around the world, we are launching a comprehensive review of all related IT security practices and procedures at Penn State,” Morooney said. “As this review continues, we will keep in mind our intrinsic need as a university to be an open environment for learning and collaboration, while at the same time acknowledging the need to further strengthen our security posture to marginalize cybercrime.”
As the first step in this process, University administrators also have accelerated plans to implement an enhanced login protocol known as two-factor authentication. The College of Engineering will immediately join administrative areas that have access to core University infrastructure or mission-critical online services as early adopters. Later this year, this security feature will be rolled out University-wide.
What can faculty, staff and students do?
Faculty, staff and students in the College of Engineering are encouraged to visit http://SecurePennState.psu.edu/ for the latest information about steps they will need to take as the college recovers from the attack.
This website also includes general information for all members of the Penn State community, including steps that all can take to protect their critical information, above and beyond the protections that already are in place.