Russian-speaking hacker 'Rasputin' broke into dozens of university databases


A Russian-speaking hacker has compromised and is now offering access to databases that belong to numerous U.S. universities and federal, state and local government agencies, according to new research published Wednesday by cyberthreat intelligence firm Recorded Future.

Over the last several months the hacker — dubbed Rasputin by cybersecurity experts — had breached a total of 60 prominent universities and federal, state and local U.S. government agencies, according to a Recorded Future blog post.

“The scale and breadth of this [incident] was kind of amazing. We were shocked by the sheer volume of unauthorized access that this particular hacker was able to accomplish in essentially less than a two month period,” Recorded Future Vice President Levi Gundert told EdScoop’s sister publication CyberScoop.

Recorded Future said it identified the following U.S. universities as victims of the breach, and had notified them:

  • Cornell University
  • VirginiaTech
  • University of Maryland, Baltimore County
  • University of Pittsburgh
  • New York University
  • Rice University
  • University of California, Los Angeles
  • Eden Theological Seminary
  • Arizona State University
  • NC State University
  • Purdue University
  • Atlantic Cape Community College
  • University of the Cumberlands
  • Oregon College of Oriental Medicine
  • University of Delhi
  • Humboldt State University
  • The University of North Carolina at Greensboro
  • University of Mount Olive
  • Michigan State University
  • Rochester Institute of Technology
  • University of Tennessee
  • St. Cloud State University
  • University of Arizona
  • University at Buffalo
  • University of Washington

Nine UK universities, including Cambridge and Oxford universities had also been breached.

Rasputin, researchers say, relies on a custom-made internet scanning tool to find websites that carry SQLi injection vulnerabilities — which allows the hacker to remotely inject code into the property to authorize commands.

“SQL injection has been around since databases first appeared on the internet. When a user is allowed to interact directly with a database, through an application in a web browser, without checking or sanitizing the input before the database executes the instruction(s), a SQL injection vulnerability exists,” Gundert explained in the blog post.

“North American and Western European databases contain information on customers or users that are historically valued at a premium in the underground economy. Buyer demand typically centers on access to American, Canadian, or UK database access,” he said.

The intelligence firm said U.S. Department of Housing and Urban Development, the Health Resources and Services Administration and the National Oceanic and Atmospheric Administration had also been identified as victims of the breach.

Read more at CyberScoop.

Wyatt Kash contributed to this report.