A Russian-speaking hacker has compromised and is now offering access to databases that belong to numerous U.S. universities and federal, state and local government agencies, according to new research published Wednesday by cyber threat intelligence firm Recorded Future.
Over the last several months the hacker — dubbed Rasputin by cybersecurity experts — had breached multiple government agencies, according to Recorded Future, including the U.S. Department of Housing and Urban Development, the Health Resources and Services Administration and the National Oceanic and Atmospheric Administration.
Recorded Future is aware of more than 60 victims who have been compromised by Rasputin, who is described by the firm as a “notorious financially-motivated cyber criminal.”
“The scale and breadth of this [incident] was kind of amazing. We were shocked by the sheer volume of unauthorized access that this particular hacker was able to accomplish in essentially less than a two month period,” Recorded Future Vice President Levi Gundert told CyberScoop.
The same actor is believed to have sold access to and hacked into the U.S. Election Assistance Commission. In similar fashion to recent postings, Rasputin also attempted to sell EAC database access credentials last year on a dark web marketplace. Rasputin is selling access to the databases but is apparently not exploiting the databases themselves.
“North American and Western European databases contain information on customers or users that are historically valued at a premium in the underground economy. Buyer demand typically centers on access to American, Canadian, or UK database access,” a blog post written by the intelligence firm reads.
Rasputin, researchers say, relies on a custom-made internet scanning tool to find websites that carry SQLi injection vulnerabilities — which allows the hacker to remotely inject code into the property to authorize commands.
“SQLi vulnerabilities are simple to prevent through coding best practices,” Gundert wrote. “The problem and solution are well understood, but solutions may require expensive projects to improve or replace vulnerable systems. These projects are often postponed until time and/or budget is available, until it’s too late to prevent SQLi victimization.”
Evidence of Rasputin’s hacking tools, techniques and actives, collected by Recorded Future, have since been turned over to law enforcement.
Some of the most high-profile data breaches in recent years originally began with a simple SQL Injection attack, including incidents at HBGary Federal, Yahoo and LinkedIn. These attacks take advantage of poorly programmed web applications and third-party software, giving hackers an easy access point to do further harm.
Update (2/16/17): In an emailed statement to CyberScoop, a HUD spokesperson said “HUD finds no evidence to support the suggestion that the Department’s IT systems were compromised. However, out of an abundance of caution, HUD is conducting a top-to-bottom security review to make certain its network remains secure.”