Top Hong Kong universities caught up in major hack attack on more than 100 global institutions
A number of major educational institutions in Hong Kong were allegedly affected by a major hack attack encompassing more than 100 universities and government agencies worldwide.
According to a document published by hacking group GhostShell, thousands of user accounts were compromised in the wide ranging attack. Speaking to the South China Morning Post via Twitter, where they initially publicised the attack, the hacking group said organisations were targeted as "they were part of the top one million most active websites on the net".
Hong Kong Polytechnic University, the Chinese University of Hong Kong, HKU Space, and the Hong Kong College of Technology were all named in the document, which was posted to text file sharing website Pastebin.
Leung Siu-cheong, a senior consultant with the Hong Kong Computer Emergency Response Team Coordination Centre, said that around half the websites affected by the hack were in education or academia. HKCERT found that "some usernames and ID numbers, emails or phone numbers were exposed".
"They exposed some user information, maybe from students," Leung said. "There is no financial implication at the moment."
He said the main reason for the hackers' public document dump was "to show their capability. Maybe they want to follow up with some other things, maybe to make their profile higher or to inform their capability." The data posted by GhostShell was accompanied by a manifesto of sorts, titled "Dark Hacktivism".
Leung warned that universities and other educational institutions needed to take information security more seriously, "particularly websites that hold databases with user information".
"There are many many systems exposed to the internet, such as universities stat have many departments and many research areas. They need to have a good stock take of all these websites and have a good protection for the websites," he said.
A spokeswoman for PolyU said the university "is aware of the incident and is currently looking into the case". She said there were security measures in place to prevent attacks and enhance protection.
CUHK also said it was aware of the attack, adding that actions had been taken, including "the removal of the defaced webpage and shutting down of the server" affected. A spokeswoman said that only public information was involved and "no personal data [was] at risk".
HKU Space and HKCT did not respond to repeated requests for comment.
According to a report by security firm Symantec, analyses of the data showed that it included "emails, user names, addresses, telephone numbers, Skype names, dates of birth, and other personally identifiable information."
Other institutions in Hong Kong were targeted, GhostShell said, but "some of them had slow connections so retrieving the data was close to impossible". Asked about the difficulty of the attack, the hackers said "[the institutions] were easy to breach since the systems were outdated".
GhostShell first came to prominence in 2012, when the group attacked a large number of databases belonging to financial, political, educational and governmental organisations, including Interpol and companies working for the US department of defence.
Experts said the current hack followed the same pattern as the 2012 attacks. "It is likely that the group compromised the databases by way of SQL injection attacks and poorly configured PHP scripts," Symantec said.
SQL injection is a technique by which malicious code is inserted into a database so that a command can be executed, enabling attackers to, for example, export all information stored in the database to their own servers.
In its Pastebin manifesto, GhostShell described how targets were chosen and others discarded. For example, mainland Chinese sites were mainly ignored as the "predominant" use of a Chinese character set made brute force attacks on servers difficult. The group was also complimentary of Taiwan's defences, saying that the island "has been installing firewalls and so far its protection is solid".
When it came to educational institutions however, the group was scathing in its criticism of their defences. "Edu websites are by far the most vulnerable type of networks on the internet. Time and time again whether they get breached and publicly exposed, they all still seem to preserve that level of vulnerability no matter what."