ACADEMIA

Plans in place to allow teaching, research in the college to continue as University moves to recover

The Penn State College of Engineering has been the target of two sophisticated cyberattacks conducted by so-called “advanced persistent threat” actors, University officials have announced. The FireEye cybersecurity forensic unit Mandiant, which was hired by Penn State after the breach was discovered, has confirmed that at least one of the two attacks was carried out by a threat actor based in China, using advanced malware to attack systems in the college.

In a coordinated and deliberate response by Penn State, the College of Engineering’s computer network has been disconnected from the Internet and a large-scale operation to securely recover all systems is underway. Contingency plans are in place to allow engineering faculty, staff and students to continue in as much of their work as possible while significant steps are taken to upgrade affected computer hardware and fortify the network against future attack. The outage is expected to last for several days, and the effects of the recovery will largely be limited to the College of Engineering.

To learn more about the incident, including information for affected faculty, staff and students, visit http://SecurePennState.psu.edu/.

What has happened?

On Nov. 21, 2014, Penn State was alerted by the FBI to a cyberattack of unknown origin and scope on the College of Engineering network by an outside entity. As soon as the University became aware of the alleged attack, security experts from Penn State began working immediately to identify the nature of the possible attack and to take appropriate action, including the enlistment of third-party experts, chief among them Mandiant. An intensive investigation has taken place across the College of Engineering computer network since that time.

As soon as the FBI alert was received, University leadership reached out selectively to key administrators, academic leaders and IT professionals in the College of Engineering and a full-scale investigation of the college’s network began. College IT professionals also have taken steps to preserve critical data.

“In order to protect the college’s network infrastructure as well as critical research data from a malicious attack, it was important that the attackers remained unaware of our efforts to investigate and prepare for a full-scale remediation,” said Nicholas P. Jones, executive vice president and provost at Penn State. “Any abnormal action by individual users could have induced additional unwelcome activity, potentially making the situation even worse.”

The investigation revealed the presence of two previously undetected, sophisticated threat actors on the college’s network. Mandiant has confirmed that at least one of the two attacks came from a threat actor based in China, which used advanced malware to attack systems in the college. The investigation has revealed that the earliest known date of intrusion is September 2012.

“Penn State should be commended for acting quickly to address these breaches, immediately launching a comprehensive internal investigation into the FBI’s report and retaining leading third-party computer forensic experts to assist in the investigation,” said Nick Bennett, Mandiant senior manager, professional services. “Advanced cyber attacks like this -- sophisticated, difficult to detect and often linked to international threat actors -- are ‘the new normal.’ No company or organization is immune -- the world’s leading banks, energy companies, retailers and educational institutions have all been and will be targets.”

“This was an advanced attack against our College of Engineering by very sophisticated threat actors,” said Penn State President Eric Barron in a letter to the Penn State community. “This is an incredibly serious situation, and we are devoting all necessary resources to help the college recover as quickly as possible; minimize the disruption and inconvenience to engineering faculty, staff and students; and to harden Penn State’s networks against this constantly evolving threat.”

“As we have seen in the news over the past two years, well-funded and highly skilled cybercriminals have become brazen in their attacks on a wide range of businesses and government agencies, likely in search of sensitive information and intellectual property.

“In several days, our College of Engineering will emerge from this unprecedented attack with a stouter security posture, and engineering faculty, staff and students will need to learn to work under new and stricter computer security protocols. In the coming months, significant changes in IT security policy will be rolled out across the University, and all of us as Penn Staters will need to change the way we operate in the face of these new and significant challenges. This new threat must be faced head-on, not just by Penn State but by every large university, business and government the world over. This is a new era in the digital age, one that will require even greater vigilance from everyone.”

There is no evidence to suggest that research data or personally identifiable information (such as Social Security or credit card numbers) have been stolen, however, investigators do have direct evidence that a number of College of Engineering-issued usernames and passwords have been compromised. While investigators have found that only a small number of these accounts have been used by the attackers to access the network, as a precaution and beginning immediately, all College of Engineering faculty and staff at University Park, as well as students at all Penn State campuses who recently have taken at least one engineering course, will be required to choose new passwords for their Penn State access accounts.

In addition, while the network is in recovery over the coming days, faculty and staff in the college will have limited access to their College of Engineering email (any email address ending with “@engr.psu.edu”), and other network-based services may be unavailable. University-wide services, such as ESSIC, UCS, eLion and Angel, and Webmail for students, will continue to be available to those in the college via the campus-wide PSU wireless network.