Foreign Government-Sponsored Hackers Breached ILR School in 2014 to Exact 'Revenge' Against U.S.
By Nicholas Bogel-Burroughs

When two Cornell network administrators began a routine investigation into why a University website had rebooted, they had no idea they would be handing their passwords over to a hacking group sponsored by a foreign government possibly seeking "revenge" against the United States.

But the hackers had rebooted the website as a trap, and as the administrators entered their passwords to investigate the reboot in May of 2014, hackers recorded their keystrokes with malware surreptitiously installed on the website.

With the administrators' credentials, state-sponsored hackers remained undetected for months in the School of Industrial and Labor Relations, accessing scores of administrator passwords, compromising dozens of computers, peeking into at least one staff calendar and leaving backdoors to maintain their presence in what was the largest ever state-sponsored cyber attack on the University, according to senior information technology administrators at Cornell.

State-sponsored hackers breached the security of Cornell's International and Labor Relations School in 2014, administrators have confirmed.

The hackers, who IT administrators believe were bankrolled by a foreign government, used custom malware to avoid detection and extended their reach throughout the college in what is known as an advanced persistent threat.

"Like a squirrel putting away a bunch of nuts for the winter, they were saving this to do something with it," Rob Bandler, deputy director of IT security at Cornell, said of the hackers. "They want to camp out, they want to watch, they want a jumping off point where they can try to do things from inside the perimeter, which is generally easier."

Hackers used SQL injection, a method where instructions are inserted into a website's data field, to maliciously gain control of at least one website maintained by the Cornell Yang-Tan Institute -- then the Employment Disability Institute -- and reboot the server, drawing in network administrators.

An graphical rendering of SQL injection.

After recording the administrators' keystrokes, hackers used those credentials to access an application IT staffers use to store passwords, according to a senior IT official who, like others interviewed for this article, spoke on the condition of anonymity because he was not permitted by the University to discuss details of the hack.

IT staff use the application, Password Manager Pro, to store not personal passwords, but administrative passwords that allow them to access servers, workstations and digital signage like that shown in the ILR conference center.

Using passwords stored in the application, the hackers broke into more IT assets in the ILR school and monitored an IT administrator's work calendar to determine when he was out of the office, so they could expand the breach without being discovered.

"Hackers used the IT admin's credentials to look at his calendar, see when he has a dentist appointment or is out on vacation," the senior IT official said. "By accessing the IT administrator's calendar, they could identify times to continue their progress attacking things within the college when they felt that, because of reduced staff availability, IT would be less attentive and less likely to discover the activities of the attackers."

Unbeknownst to Cornell, the hackers poked around the ILR school for about four months until late one afternoon in October 2014, when eight Internet Protocol addresses -- numbers identifying hardware connected to a network -- in the ILR school began acting strangely, tipping off IT security that something was wrong.

After an initial investigation determined that the hackers had infested a sizable portion of the ILR school's network, IT staff contacted a third-party firm to contain the attack, expel the hackers and analyze the intrusion.

Forensics from the data-breach response company showed that although the hack was serious, it was limited to the ILR school; valuable targets like credit-card processing software and a directory service that stores important information about users were not penetrated. The company also concluded that no data was extracted by the hackers, according to Bandler and two other IT administrators.

By analyzing the hackers' custom malware, looking at the language and syntax of their code and sharing information with other universities and victims of similar hacks, Cornell was able to determine which foreign government was behind the hack, Bandler said, although he and others declined to identify the country.

"We understand the goals of the hack and I'm not going to discuss them, but the nature of them was more of a revenge against the United States in particular, not against ILR or Cornell," Bandler said.

The same group of hackers "also found web vulnerabilities in other places around the United States that we found out later," he continued. "That's what they're paid to do -- go find places where [they] can leverage something [their] government wants."