SFSU Possibly Struck By Bitcoin Mining Hacker

As reported by the San Francisco Examiner, in 2014, ethical hacker Bryan Seely was investigating a liability in Oracle software used by government entities when he came across a similar issue at San Francisco State University (SFSU). Per the deposition given by Seely earlier this month, a fatal server flaw made confidential student information potentially accessible to hackers.

“This discovery and this vulnerability show that the entire system could be compromised by somebody who had the ability, or didn’t care about the ethics of it or going to jail,” said Seely.

At the time, he notified K. Mignon Hoffman, an information security officer at SFSU, of his findings.

Bob Moulton was SFSU’s then-Interim Chief Information Officer. “The Oracle vulnerability we have been working on has gotten worse,” a concerned Moulton wrote in a September 2014 email. “Unauthorized code has been installed on five servers.”

While investigating Seely’s claims, Hoffman found evidence suggesting that Russian hackers gained access to a university server via a Remote Access Trojan (RAT). Hoffman claims to have traced the RAT to a Russian IP address. In a November 2014 correspondence with SFSU president Leslie Wong, Hoffman wrote, “We identified a tunnel going back to Russia (yes, sounds like a movie, and we are in it…).”

"We don’t yet know how developed the code is nor its objective,” Hoffman added.

On January 14, 2015, Hoffman was fired by the university. Hoffman is now embroiled in a whistleblower retaliation lawsuit against the university.

In a forensic investigation incident analysis report dated February 20, 2015, the Business and Technology Resource Group (BTRG), confirmed the existence of the RAT and discovered bitcoin mining software among the malware files.

Although the relevant file names were redacted, BTRG wrote, “The introduction of these specific files would result in the capability of using the processing power and network connectivity to use for a distributed Bitcoin ‘mining’ network.”

In plain terms, the hacker(s) wanted to harness the university network for bitcoin mining.

"Further BTRG also found malicious Linux executable programs (malware) that were attributed to Bitcoin mining. Besides those, BTRG also found files present in the Images that resembled a form of Internet Relay Chat (IRC) ‘backdoor’ Perl bot that means its code was written in the Perl language that allows someone to intrude into a compromised host if they know the backdoor.

This means the server APPS02’s file system and network usage integrity was affected and the server’s purpose was being misused during the time the malware was present on the server.”

As long as a cryptocurrency requires proof-of-work mining, hashing power will remain in high demand. The greater one’s hashing power, the greater one’s chances of mining the next block. It’s easy to imagine that a university’s computing network could provide a significant boon to one’s hashing power.

The question is: Did the hacker(s) compromise any other universities’ networks? When ETHNews posed this query to Bryan Seely, he answered in no uncertain terms.

“Absolutely, they would’ve gone after a bunch of other places and they’re probably on a yacht by now.”

Seely also noted the massive financial incentive for SFSU to not disclose a breach of its student data. In a recent case, Washington State University (WSU) had to send letters to one million people whose personal information was compromised by a theft. WSU also offered victims a year-long subscription to a credit monitoring and identity theft protection service. That doesn’t come cheap but, fortunately, WSU has cybersecurity insurance

For what it’s worth, SFSU denies Seely’s allegation. “The university investigated the incident and retained outside experts who also thoroughly examined the situation,” said spokesperson Elizabeth Smith in a statement Wednesday. “No breach of data was found and no student or employee information was compromised.”

The case of K. Mignon Hoffman v. The Board of Trustees of California State University et al continues in San Francisco’s Superior Court (Case Number: CGC16549831).