Pierluigi Paganini October 07, 2012

In this days the hacking group Team GhostShell claimed credit for the hack of  servers of the 100 principal universities from around the world, including Stanford, Princeton Harvard, the University of Michigan and also the Italian University of Rome. The hackers named the campaign #ProjectWestWind.

The group accessed to the databases of universities stealing hundred of thousand of records, recently in a post on Pastebin the group released about 120,000 records from the breached servers.

The name Team GhostShell is not new, the hackers are very active, last summer they conducted a campaign named Project HellFire, a massive leak of data, alleged to top more than a million records.

In that occasion Team GhostShell, along with two other associate groups, successfully attacked hundreds of websites, the victims of Project Hellfire were very heterogeneous, financial, law enforcement, political organizations and private businesses.

The group, which recently claimed credit for several major hacking incidents, in July penetrated into ITWallStreet.com, a recuiting website IT professionals who are searching for financial Wall Street jobs or working with Wall Street firms, and exposed valuable information belonging to tens of thousands of job applicants.

Why the hackers have chosen the universities in the last wave of attacks?

The group desires demonstrate the “failing educational standards around the world“, in the university system.

“We have set out to raise awareness towards the changes made in today’s education, how new laws imposed by politicians affect us, our economy and overall, our way of life. How far we have ventured from learning valuable skills that would normally help us be prepared in life, to just, simply memorizing large chunks of text in exchange for good grades. How our very own traditions are heard less and less, losing touch with who we truly are. Slowly casting the identities, that our ancestors fought to protect, into exile. – TGS

 As a wise man once said: “Those who cannot remember the past are condemned to repeat it.”

What is surprising is the large scale attack that demonstrated the lack of defense in what could be considered the “temples of knowledge” and have been discovered vulnerable to offensive. In some cases, the hackers have breached multiple servers at the same university, very unfortunate circumstance that must raise many question on the approach of these institutions to the security.

The message posted on PasteBin states

“We tried to keep the leaked information to a minimum, so just around 120,000+ accounts and records are here, leaving in their servers hundreds of thousands more,”

“When we got there, we found out that a lot of them have malware injected. No surprise there since some have credit card information stored,”

According the official communication of Stanford University, two departmental websites had been violated but no restricted or sensible data was exposed.

Also other universities provided similar comments to the event … according their declarations nothing of important is happened. The University of Michigan spokesman said:

“However there was no sensitive data or passwords accessed,” he said in emailed comments. “What they gained access to was data that is generally available to the public on our website.”

The blog Identity Finder provided an interesting analysis of the leaked data highlighting that the hackers hasn’t only published the stolen info, but they spent long time to analyze and aggregate them.

Probably behind these operation there is also a long study of objectives and a specific strategy, differently of what wrongly people believes.

The attacks represent a large breach of SQL database information obtained from various subdomains belonging to more than 50 top U.S. and international universities.

Following some interesting figure on the data breach:

1. 36,623 Unique Email Addresses
2. 1 Bank Account Number
3. No credit card information
4. No social security numbers
5. Tens of Thousands of student, faculty, and staff names
6. Thousands of Usernames, Hashed and Plain-Text Passwords
7. Thousands of Addresses and Phone Numbers
8. Several Dates of Birth, Citizenship, Ethnicity, Marital Status, and Gender Information
9. Payroll Information, Employee IDs
10. Database Schema Information

“Based upon a casual sampling of time stamps in the data set, it appears that the hackers spent at least four months aggregating the information prior to release,” explained Aaron Titus, Chief Privacy Officer for Identity Finder. “Although the hackers claim to have posted 120,000 accounts, Identity Finder could only confirm around 40,000 accounts exposed. 40,000 accounts is still a large number, and it is possible that the hackers had access to far more.”

The data leaked includes more user’s credentials and information, to aggravate the situation the fact that many passwords were available in plain text format.

What lessons should we learn from these events?

1. Firstly never underestimate the cyber threats, especially the operations of groups of hacktivists too often considered, wrongly, too modest and without serious consequences.
2. The university and many other institutions included hospitals and research centers are now run in a disorganized way. Very often each department has its own computer facilities and there is no central coordination. The result is that each of these departments could be used as a starting point for attacks on central structures, it is like having a bunker protected with too many windows open and unattended which have sometimes ignores its existence.
3. Last consideration is related to the costs for the security of many universities, at least in the most prestigious institutes, that are far from negligible. An attack, even in peripheral departments, cannot be underestimated and the responsibility is the same as an attack to the central systems.
4. Consider then that this information may also be used in various ways to infiltrate the structures in the months to come, and sometimes the universities and their students are involved in projects of national interest ….do you think that this should be left unattended?