Sqrrl Blog

Nov 17, 2015 10:39:00 AM

Cyber Incident Matrix: Penn State

Complexity Score: 4
Severity Score: 2
How did we get these numbers?

Incident Summary

  • What was breachedPennsylvania State University's School of Engineering

  • Delivery: September 2012

  • The Attackers: Offshore entities, at least one located in China


In November of 2014, the FBI alerted Penn State administrators that they had suffered a breach by a foreign entity. After several weeks of forensic analysis, it was determined that key machines inside the Penn State School of Engineering had been breached, containing the usernames and passwords of 18,000 university faculty, staff, and students. Several of the breached machines also contained PII, but there is no evidence to suggest that this information has been used maliciously.

Sqrrl_Cyber_Incident_Matrix_3-1 OPM Breach IRS Breach Anthem Breach ATM hacks Kaspersky hack Insider Trading hacks Ashley Madison Breach Penn State

Complexity Score:

Plan Time

Indirect Attack

Cyber/Human Coordinated















According to university administrators, hackers used "advanced malware" that exploited network vulnerabilities to penetrate the Penn's IT infrastructure (+1 Advanced TTPs). Penn's School of Engineering was likely targeted to gain access to Penn's Applied Research Laboratory (ARL), one of 14 research instutitions that work primarily for the Pentagon. While the ARL is a separate entity, the ARL and School of Engineering frequently collaborate on Pentagon funded projects. The earliest known date of intrusion was also found to be September of 2012, meaning the attackers had access to the system for over 2 years before they were discovered (+2 Time Undetected).

Given the strategic targeting of Penn, it's likely there was some length of plan time before the attack was initiated (+1 Plan Time). Of the 18,000 user credentials breached, only a handful were used to attempt to move laterally through the system with limited success. Thankfully, network controls prevented lateral movement into the ARL's network.

Severity Score:

Incident Costs

Physical Damage

Lives Lost

Nat. Sec. Impact







While 18,000 accounts at Penn were accessed, there is no evidence that any PII was exfiltrated or that the data associated with the School of Engineering's 500+ research partners was accessed. Fiscally, the breach has had a limited affect on Penn. Despite the lack of evidence that PII was exfiltrated maliciously, Penn is offering one year of free credit monitoring to those 18,000 affected, which brings the cost of remediation just under one million dollars. This cost is in addition to the many systems will have to be changed and investigated for further compromise (+2 Incident Costs).

However, in order to limit the blast radius of the attack, major portions of Penn's IT infrastructure were taken down for a span of days after the discovery of the attack, freezing faculty and students access to basic resources like their university email, university wifi, and documents/sites hosted on the university's network.

Download the eBook


Topics: Malware, Data Breach, Cyber Incident Matrix