The Indiana Department of Education was hacked this week for the second time, remaining shut down for most of the day.
The first attack saw users claiming to be part of the Nigerian Cyber Army taking over the system. This time, a longer, taunting message was left behind, leading the DOE to believe it as a case of mistaken identity.
“This morning, the Indiana Department of Education’s website was hacked due to an apparent Drupal vulnerability. However, there is no sign that any data hosted on the website was compromised. The Department’s Information Technology staff has taken the website down temporarily while this issue is addressed. It is currently anticipated that the website will be down at least through the rest of the day.”
When the system was initially hacked, the attackers targeted a flaw in Drupal, the CMS platform used by the DOE to manage web content and images, text and video. Doing so enabled the hackers to inject SQL queries, or rogue database commands, and possibly take control of the host. A single graffiti-like tag was left behind as a sign that they were there and had successfully completed their mission.
After this happened, the DOE took their website offline for several hours, assuming the IT department would patch the site so that this could not happen in the future.
However, the Cyber Army returned and defaced the website once again. Instead of their single tag, they left behind a longer message:
“…Security is just an Illusion. Suprised (sic) we are here agaian (sic)? The last time this site was down no patch was done and our message is help us educate the entire Indian script kiddies who call themselves hackers to quit the Nigerian cyber space. Expect us…”
The DOE once again took the website offline. When it was back online it appeared to be running the latest version of Drupal.
It is believed that the entry point of the attack was a form on the Staff directory page. That record has since been removed from the website.
The mention of “Indian script kiddies” has left some wondering if it was not the state of Indiana that was meant to be targeted, but the Indian government.
Typically, the Nigerian Cyber Army seeks out websites that can be easily exploited and quickly identified through scanners and targeted Google searches. It is possible that the group was scanning for vulnerable Drupal installations by filtering results by domain. To receive results pertaining to the Indian government, the domain gov.in would be used. However, if in.gov was used in its place, the results would be maintained by Indiana, not India.
No data has been compromised as a result of the attack, according to a DOE spokesman. However, the fact that it happened proves how possible it is to compromise data without a trace.
There were 959,000 websites reportedly using Drupal 7.x on Monday. Only 286,000 are running 7.32. It is unclear how many applied the necessary security patch, leaving many sites vulnerable and waiting to be compromised.