• United States



Senior Staff Writer

Penn State disables network after attack, says China is to blame

May 15, 20153 mins
Advanced Persistent ThreatsCybercrimeDisaster Recovery

The college went to FireEye for help; company says actors in China were to blame

The Penn State College of Engineering took their network offline on Friday, after being targeted by what the school is calling two “sophisticated” cyber attacks. The university engaged FireEye to help with incident response, who in-turn stated that actors in China were responsible.

The school says that plans are in place to allow teaching and research to continue while recovery efforts and investigations take place.

In a statement, the school explained further:

“In a coordinated and deliberate response by Penn State, the College of Engineering’s computer network has been disconnected from the Internet and a large-scale operation to securely recover all systems is underway. Contingency plans are in place to allow engineering faculty, staff and students to continue in as much of their work as possible while significant steps are taken to upgrade affected computer hardware and fortify the network against future attack. The outage is expected to last for several days, and the effects of the recovery will largely be limited to the College of Engineering.”

Last November, university officials explained, the school was contacted by the FBI and alerted to an attack of “unknown origin and scope” on the College of Engineering network. Shortly after the FBI alerted the school to the problems, they contacted Mandiant in order to hire FireEye to help with internal investigations.

“The investigation revealed the presence of two previously undetected, sophisticated threat actors on the college’s network. Mandiant has confirmed that at least one of the two attacks came from a threat actor based in China, which used advanced malware to attack systems in the college. The investigation has revealed that the earliest known date of intrusion is September 2012,” the school’s statement continued.

The investigation so far has turned up nothing to suggest that PII (e.g. Social Security Numbers) or financial data was compromised. However, there has been evidence that a number of usernames and passwords issued by the College of Engineering were compromised during the attack.

Yet, just to play it safe, 18,000 individuals will be offered one year of free credit monitoring – as their information was discovered on compromised systems.

“This should be a wake up call to other colleges and universities; it is rare for only one institution to be targeted by an active cyber espionage campaign,” commented Ken Westin, senior security analyst for Tripwire.

“Given that the group was targeting engineering departments it’s pretty clear that the attacker were looking intellectual property. Many times there is deep collaboration between higher education and private industry to commercialize research, and this combined with the fact that higher education generally lacks the resources to develop a strong security posture makes them a high value target for sophisticated attackers.”