Cyber Incident Victim: Rutgers University
Date:
Dec 2015
Location:
United States of America
Summary
Rutgers University experienced six DDoS attacks within a year, including a four-day disruption targeting its Sakai learning portal during a break, minimizing student impact. Despite a $3 million investment in cybersecurity measures following earlier incidents, mitigation efforts failed during subsequent attacks. The first five attacks were claimed by a hacker using a botnet generating medium-scale traffic, while the sixth remained unclaimed, prompting law enforcement involvement.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Rutgers University experienced a distributed denial-of-service (DDoS) attack from December 24 to December 28, 2015, marking its sixth such incident that year. The attack targeted sakai.rutgers.edu, the university’s Sakai portal—a Java-based, open-source learning management system used for academic course delivery. Information technology staff restored all services after four days of disruption, though the attack occurred during the university’s scheduled Christmas break, which ran from December 24 to January 5, minimizing direct impact on student activities. No individual or group claimed responsibility for this attack, contrasting with the first five incidents earlier in the year, where a hacker using the alias Exfocus publicly admitted involvement. Exfocus had previously disclosed being hired via an underground forum to execute the DDoS campaigns and received Bitcoin payments for these services. The December attack’s traffic volume and technical characteristics were not disclosed, though Exfocus had earlier described controlling an 85,000-device botnet capable of generating medium-scale DDoS attacks averaging 25 gigabits per second.
The March and May 2015 attacks prompted Rutgers to allocate $3 million in August 2015 for cybersecurity enhancements, including contracts with three external firms to fortify its online infrastructure. Despite this investment, the university’s DDoS mitigation provider failed to prevent service disruptions during both the September and December attacks, with the longest outage lasting five days earlier in the year. All six attacks followed a consistent pattern of overwhelming university systems with malicious traffic, though forensic details about intrusion methods or data compromise remained undisclosed. Rutgers consistently notified law enforcement agencies following each incident, though no public updates regarding investigations or attributions were provided in the immediate aftermath of the December attack. The repeated breaches highlighted persistent vulnerabilities in the university’s network defenses despite targeted financial and operational countermeasures.