awhCbhLqRceCdjcPQUnn_IMG_0249

Why did Exfocus Take Down Rutgers? An Interview & Analysis

exfocus_1a

Since Friday, March 27th Rutgers students have been experiencing intermittent service interruptions. Students have been unavailable to access Rutgers related websites including Sakai, Ecollege and others.

In the interim, a mysterious figure who goes by the handle Exfocus (or @ogexfocus) has popped up on Twitter and the /r/Rutgers subreddit claiming credit for the interruptions & inaccessibility for much of the Rutgers community.

His first post to Reddit consisted of a cryptic interface showing the bandwidth output of his “botnet” (an army of compromised computers which do their masters’ bidding).

The interface to exfocus’s botnet

In this case the botnet was directed to flood traffic towards Rutgers servers’.

He subsequently taunted the /r/rutgers community and even started a Twitter account which is still active at the time of writing.

Exfocus tweeted correctly predicting the time of an attack.

Rutgers remained mum about the issue until 3:30 PM on Sunday, when they released an email acknowledging that there was a targeted DDoS (Distributed Denial of Service) attack on the system.

Gentlepeople,

The Rutgers Office of Information Technology (OIT) has been working around the clock to resolve service interruptions caused by a Distributed Denial of Service (DDOS) that began Friday afternoon, Mar 27.

OIT has not detected any instances of a breach of confidential information and continues to monitor closely for any such occurrence.

While we work to resolve this matter, some services will be unavailable or only work intermittently. Currently, Sakai and CAS (authentication) are available on campus but not off campus.

Normal service will be restored as quickly as possible.

I reached out to Exfocus to try to figure out what the purpose and motivation of his attacks on the Rutgers community were. 

Here is an abridged & cleaned up version of our conversation with this shadowy figure.

How much are you getting paid?

$500 an hour.

Are you for real? Why would you do an interview with us if you’re getting paid?

Normally I don’t show myself, but the entity paying me has something against the school. They want me to “make a splash”.

Have you compromised any servers? To what extent?

In Rutgers itself? No. I have hundreds of exploited servers though. I’m connecting through a proxied one right now in fact.

On your twitter account, you posted some super private information including Social Security numbers & addresses. Where did those come from?

The ssn dump was from a school in Texas. Not from Rutgers. : I haven’t been ddosing anything for a while now, I stopped three hours ago.

Why can’t students access Sakai right now – if you’re not DDOSING it?

Your internet is down because RU is probably scared about overages with their transit provider. Whenever I do a ddos all rutgers websites that are still public facing (like rutgers.edu) go offline because their network port with zayo is saturated.

What are your plans for the future in terms of DDOSing and attacking the Rutgers cyber infrastructure?

When I stop getting paid – I’ll stop DDosing lol. I’m hoping that RU will sign on some ddos mitigation provider. I get paid extra if that happens.

At some point you said you were at the Livingston student center – outside of Sbarro. In this interview you said that you aren’t affiliated directly with Rutgers, did you lie then?

Yes

Why do you have a twitter account where you publically broadcast patronizing messages. Are you worried that this increases the risk of things getting back to you?

Public twitter is on clients request. The client hates the school for whatever reason. They told me to say generic things like that I hate the bus system and etc.

How’re you being paid?

Bitcoin

Can you link your bitcoin wallet to verify that this is at the request of a client?

No.

You’ve been attacking through a botnet right? How many infected computers are under your control?

I started off with 170k, currently sitting at 85k.

Have you ever attacked RU before?

During freshman registration the client requested it also – he didn’t want any publicity then though.

Any proof that you work for someone?

No.

Can we get a cropped screenshot of the bots in your botnet? No identifying info – just want to verify that you’re the one in control of them.

sure

Any last messages you want to communicate to the students at RU?

Im a fan of Taylor Swift

A lot remains to be said of whether or not Exfocus is telling the whole truth.

However there does seem to be evidence that points to him being the one who took down the Rutgers network. He has on multiple occasions, been able to correctly predict the length, and initial time of attack. This suggests that he is in contact with those responsible or responsible himself.

We found this post on hackforums.net where an individual going by the handle exfocus.hf offers to DDOS targets using a botnet that is 80,000 zombies strong. (the same amount that he claimed in my interview with him). 

Do you think someone hired Exfocus to DDOS Rutgers, is he just a frustrated Rutgers student? Is he a total fake?

Let me know down in the comments below.

Edit 1: There have been similar reports on the Rutgers server crash that attribute the hackers to have come from China & Ukraine. This is not the case, the nature of a botnet is that a lot of infected computers from all over the world are used to send fake traffic to servers. 

The hacker is not from Ukraine or China, although lots of the computers he has infected are.

Edit 2: NOBODYS PERSONAL INFORMATION WAS COMPROMISED – None of you are at any risk of identity theft because of Exfocus.