Cyber Incident Victim: Rutgers University
Date:
Sep 2015
Location:
United States of America
Summary
A hacker known as Exfocus repeatedly targeted Rutgers University with DDoS attacks, disrupting internet access, credit card transactions, and online learning platforms. The institution invested $3 million in network hardware upgrades, DDoS mitigation services, and a new internet provider following previous incidents, reportedly contributing to a tuition increase. Despite these measures, subsequent attacks successfully overwhelmed the upgraded infrastructure, causing widespread outages. The attacker claimed to operate a botnet exceeding 85,000 machines, generating attacks around 25 Gbps, and disclosed being paid in Bitcoin by a client who offered additional compensation if the university contracted a mitigation provider.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Between late March and early May 2015, Rutgers University experienced a series of distributed denial-of-service (DDoS) attacks attributed to a hacker using the alias Exfocus. These attacks targeted the university's IT infrastructure, causing intermittent disruptions that escalated into a sustained five-day outage from late April to early May. During this period, the university's internet access was completely disabled, preventing students from using credit cards on campus and accessing critical learning management systems such as Sakai and Ecollege. The attacker later revealed in an interview with Dimitry Apollonsky that a client had commissioned the attacks, compensating Exfocus in Bitcoin for his services. Exfocus operated a botnet exceeding 85,000 machines, enabling attacks reaching approximately 25 gigabits per second (Gbps). While this attack volume was modest compared to contemporary DDoS campaigns exceeding 100 Gbps, it proved sufficient to overwhelm Rutgers' network defenses. The disruptions prompted the university to allocate $3 million during the summer of 2015 for infrastructure upgrades, with some reports linking this expenditure to a 2.3% increase in student tuition.
Despite implementing these security enhancements—including new network hardware, DDoS mitigation services, web server optimizations, and a switch to internet service providers offering improved DDoS deterrence—Rutgers suffered another successful attack in September 2015. The university's IT department publicly acknowledged the upgrades via its website and Facebook page, emphasizing the expanded defensive measures. Exfocus, however, indicated in the same Apollonsky interview that he anticipated Rutgers' adoption of mitigation services, stating he would receive additional payment if such measures were enacted. The September attack again disrupted internet and WiFi access across the university, demonstrating the persistence of the threat. No technical details were disclosed regarding the failure of the new defenses, but the incident underscored the operational and financial consequences, including the multi-million-dollar investment and potential tuition impact directly referenced in institutional reports.