Rasputin Hacker Attack on Government Agencies and Universities

Background

In February of 2017, the magazine Computer World published the following article:

A “Russian-speaking and notorious financially-motivated” hacker known as Rasputin has been at it again, hacking into universities and government agencies this time, before attempting to sell the stolen data on the dark web.

According to the security company Recorded Future, which has been tracking the cybercriminal’s breaches, Rasputin’s most recent victims include 63 “prominent universities and federal, state, and local U.S. government agencies.” The security firm has been following Rasputin’s activity since late 2016 when the hacker reportedly breached the U.S. Electoral Assistance Commission and then sold EAC access credentials.

Recorded Future claims that Rasputin’s victims are “intentional targets of choice based on the organization’s perceived investment in security controls and the respective compromised data value. Additionally, these databases are likely to contain significant quantities of users and potentially associated personally identifiable information (PII).”

All of the hacked agencies and universities have been notified about the breaches by Recorded Future. There were 16 U.S. state government victims, 6 U.S. cities and four federal agencies. Additionally, there were two “other” .gov sites which included Fermi National Accelerator Laboratory, “America’s premier particle physics lab,” and the Child Welfare Information Gateway, which is “a service of the Children’s Bureau, Administration for Children and Families, U.S. Department of Health and Human Services.”

They printed a list of those that were attacked and breached:

I filed FOIA requests to the various agencies attacked, and will archive the responsive records below.

Document Archive

Postal Regulatory Commission

 Documents Released March 31, 2017 [124 Pages, 26.7MB] – It appears that although reported to have been hit by the attack, internal documents show they were clean and there were no signs of an intrusion.

 

Follow The Black Vault on Social Media: