Since spring of 2014, Rutgers has been targeted by a hacker or group of hackers in a series of distributed denial of service (DDoS) attacks. A DDoS attack uses a network of compromised computers called a botnet to access the targeted site simultaneously. The increase in traffic overwhelms the targeted network and causes it to slow down or crash. The attacks have affected on-campus internet access and email, knocked the university’s class registration system and website offline and crippled online systems students used to turn in assignments. But is this all the work of the same hacker or group?
Hacker Claims Responsibility
There were at least four separate DDoS attacks targeting various parts of the university’s network over the course of the 2014 school year. While it’s not clear if all of the events are related, one hacker calling themselves Exfocus has claimed responsibility for many of the attacks. There is no evidence to link Exfocus and the attacks, but they have sent messages to the school newspaper predicting attacks that did occur.
Exfocus claims to control a botnet consisting of over 80,000 computers and that someone is paying them $500 an hour in Bitcoin currency to attack the university. While most of the DDoS traffic was traced to machines in China and the Ukraine, Exfocus claims they are a local resident controlling computers located overseas. They have not given a specific reason behind the attacks, but have taunted Rutgers IT administration and ridiculed their cybersecurity protection in posts on Reddit, Twitter and other anonymous social media sites.
Rutgers University has been criticized for lax cybersecurity in the past. After a March 2015 attack, the New Brunswick Today newspaper ran a story on the university’s network weaknesses. The story cited a server test web page run by Qualsys SSL Labs that gave the Rutgers.edu domain a “B” rating and noted many security flaws. The flaws include weak signatures, outdated protocols and weak ciphers.
There is no indication the hacker has breached the Rutgers network or stolen data, but it can be very difficult to detect intrusion in networks that are not set up for monitoring. It is possible Exfocus or other hackers could have access to the Rutgers network and have so far remained undetected.
Cyber Security Protection for the Future
After an attack in October 2014, Rutgers Vice President Bruce Fehn announced the university would spend $300,000 on outside cyber security firms. They eventually hired three separate cyber security companies to comb their vast network for vulnerabilities. One of the firms also received $160,000 for specialized filters that protect against DDoS attacks. Rutgers expects to spend up to $3 million to upgrade their cyber security this year, and cited the expense as one of the reasons for a 2.3% tuition hike for the 2015 school year.
One thing is certain… Neither Rutgers University nor the firms they hired can afford to relax as the 2015 school year gets underway. Exfocus bragged they would get paid extra if Rutgers were to hire a DDoS protection service.