In an interview with McClatchy Newspapers on Friday, the university confirmed “two highly sophisticated cyberattacks” that targeted the College of Engineering’s computer system.
According to Provost Nick Jones, Penn State was made aware of the attacks Nov. 21, 2014, when the FBI alerted the university about an “outside entity attack.”
That precipitated an investigation, both internal with university personnel and experts, and external, with outside firms like Mandiant, tracing the intrusion. “Two previously undetected” attacks were revealed, the earliest having been in September 2012.
In a news conference later, officials clarified that the two intrusions actually constitute months of access. In one case, the system was open to an outside actor from September 2012 to noon Friday. In the other, a second actor had access from July 2014 until Friday.
“Over the months since we were notified, we have invested tens of thousands of person hours in both investigating and preparing for mediation,” Jones said. “We have invested several million dollars already just in responding to this incident and remediation. I anticipate we will have to invest more. We are a big university and we will have to learn and make the whole university more secure.”
Who are the intruders?
“Based on our intelligence, we believe they are based in China,” said Mandiant’s Nick Bennett. When asked if that meant the Chinese government or individuals within China, he said they did not have that level of “granularity.” However, Bennett said that actor has been known to target intellectual property in the aerospace and defense industries.
The identify of the second actor is unknown.
Penn State is the recipient of millions of dollars in federal grant projects annually. The university has had four consecutive years topping $800 million in research across all of its programs and has recently touted that continued success despite economic downturns as a sign of confidence in the quality of research.
Jones said he does not think the attack jeopardizes the university’s reputation in those areas moving forward.
“We have contractual obligations relative to notifying entities in the event of a breach. We believe we have fully met those contractual obligations,” he said. “Most in this community understand that these are the threats that we are all facing, otherwise companies like Mandiant wouldn’t exist. I believe we will be successful in convincing our sponsors that we are taking all necessary steps and measures.”
A chunk of that goes to research being performed at the Applied Research Lab, a University Center for Excellence that addresses naval science, systems engineering and technologies.
Bennett said the data targeted were user names and passwords, and there is “no direct evidence of any other data theft.”
However, the 18,000 individuals affected are being referred to SecurePennState.psu.edu. President Eric Barron also issued a letter to the Penn State community on the issue.
“In several days, our College of Engineering will emerge from this unprecedented attack with a stouter security posture, and faculty, staff and students in the college will need to learn to work under new and stricter computer security protocols,” he wrote.
“This is a global problem and State College is not immune from it,” said cybersecurity expert Scott Johnson of Trailblazer International in State College, Pa., and former deputy assistant director of the U.S. Secret Service.
Bennett agreed.
“This is a problem that exists across a large variety of institutions. It’s not an isolated incident. It’s part of a pattern of many different breaches,” he said.
The university still stands by the idea that, despite the breach, its security is top-notch in reference to its servers, data and 200,000 or so computers.
“Our strong information security protocols repel 22 million hostile probes every day,” Jones said, adding that the new age of cyberattacks “requires even great vigilance.”
(Shawn Annarelli contributed to this report.)
©2015 Centre Daily Times (State College, Pa.). Distributed by Tribune Content Agency, LLC.
