Map of hacked targets
Geographical distribution of Rasputin's recent targets (Recorded Future)

A financially-motivated, Russian-speaking hacker known as Rasputin, has breached and stolen data from universities in the US and the UK, and federal, state, and local US government agencies.

In total, the hacker has breached over 60 prominent targets, according to threat intelligence company Recorded Future, who's been keeping track of Rasputin's actions since last December, when the hacker broke into the servers of the US Election Assistance Commission (EAC) and then proceeded to sell access to hijacked accounts.

According to recent intel, all the recent hacks have been carried out using SQL injection (SQLi) attacks, one of the oldest known security flaws known today.

Rasputin created his own SQLi scanner

Recorded Future analysts say that Rasputin developed his own SQL injection scanner, which he used to find weak points and then take over vulnerable targets.

Rasputin's personal scanner is somewhat of a novelty today, since most hackers opt to use one of the many freely available SQLi scanners, such as Ashiyane SQL Scanner, SQL Exploiter Pro, SQLI Hunter, SQL Inject Me, SQLmap, SQLSentinel, SQLninja, and Havij.

Rasputin intentionally targeted these organizations, as there was a high chance they'd be running outdated systems, but storing troves of personal data. The hacker is now selling access to these databases on the criminal underground.

Below is a list of allegedly hacked targets, according to Recorded Future:

U.S. University Victims

  • Cornell University
  • VirginiaTech
  • University of Maryland, Baltimore County
  • University of Pittsburgh
  • New York University
  • Rice University
  • University of California, Los Angeles
  • Eden Theological Seminary
  • Arizona State University
  • NC State University
  • Purdue University
  • Atlantic Cape Community College
  • University of the Cumberlands
  • Oregon College of Oriental Medicine
  • University of Delhi
  • Humboldt State University
  • The University of North Carolina at Greensboro
  • University of Mount Olive
  • Michigan State University
  • Rochester Institute of Technology
  • University of Tennessee
  • St. Cloud State University
  • University of Arizona
  • University at Buffalo
  • University of Washington

UK University Victims

  • University of Cambridge
  • University of Oxford
  • Architectural Association School of Architecture
  • University of Chester
  • University of Leeds
  • Coleg Gwent
  • University of Glasgow
  • University of the Highlands and Islands
  • University of the West of England
  • The University of Edinburgh

U.S. Government Victims (Cities)

  • City of Springfield, Massachusetts
  • City of Pittsburgh, Pennsylvania
  • Town of Newtown, Connecticut
  • City of Alexandria, Virginia
  • City of Camden, Arkansas
  • City of Sturgis, Michigan

U.S. Government Victims (States)

  • Texas Board of Veterinary Medical Examiners
  • Oklahoma State Department of Education
  • The South Carolina Public Employee Benefit Authority
  • Rhode Island Department of Education
  • District Columbia Office of Contracting and Procurement
  • District Columbia Office of the Chief Financial Officer
  • Alaska Department of Natural Resources
  • County of Santa Rosa, Florida
  • York County, Pennsylvania
  • Virginia Department of Environmental Quality
  • State of Oklahoma
  • Alaska Division of Retirement and Benefits
  • Louisiana Department of Education
  • Madison County, Alabama
  • Washington State Arts Commission
  • West Virginia Department of Environmental Protection

Federal Agencies

  • Postal Regulatory Commission
  • U.S. Department of Housing and Urban Development
  • Health Resources and Services Administration
  • National Oceanic and Atmospheric Administration

Other

  • Fermi National Accelerator Laboratory
  • Child Welfare Information Gateway