The popular Italian hacktivist collective LulzSec ITA claimed via Twitter to have hacked three Italian universities.

The popular Italian hacktivist collective LulzSec ITA has announced via Twitter the hack of three Italian universities, highlighting the importance of the cybersecurity for our society.

Abbiamo fatto visita a @UnivRoma3, nella speranza che oltre alla sicurezza, possa migliorare anche il futuro dei nostri giovani! https://t.co/Ldez9lrG6W Una piccolissima parte del leak: https://t.co/DsuZyQK5VT pic.twitter.com/DvrWkBxW9Z — LulzSecITA (@LulzSec_ITA) February 7, 2020

The hacktivists claim that once hacked the universities did not disclose the data breach and attempted to hide the incident, violating the European Privacy Law GDPR.

Qualcuno che sia studente/docente di @UnivRoma3 @UniBasilicata o @Uniparthenope ha ricevuto qualche tipo di comunicazione dell'avvenuta intrusione ai portali di queste tre università? Dato che sui social e siti web non si trova nulla. #GDPR #LulzSecITA #Università #Hacked — LulzSecITA (@LulzSec_ITA) February 10, 2020

Below the translation of message published by the group.

"Dear student / teacher friends, after a few months today we decided to focus our attention on you too :)

We spent searching holes in Italian universities (and not only, we remember that dozens of universities were hacked in 2011), to try to show you that security in the academic environment must be taken seriously since the university is the den of the excellent minds of our future. If the concept of security does not start from our schools, how can we have a better ruling class than the current one? Since our previous attacks did not bring any sense of shame on your part, we decided to let you taste another round, until you are able to admit how is ridiculous your security. Lulz !"

I reached the group to have more information about their operation, they told me that the choice to attack the universities of Basilicata, Napoli and Rome3 was casual.

As for motivation, they confirmed to me they have always had an interest in Italian education. They explained that after 9 years since the first attacks against the universities, nothing has changed from the cyber security perspective.

Two weeks after the hack, one of the universities breached by the group, Uniparthenope, sent a data breach notification via email to the impacted students and teachers. LulzSec ITA told me that the notification attempted to downplay the incident, despite the hacktivists claim to have accessed data contained in 27 databases and compromised some portals used by the university.

The other two universities, “Università della Basilicata” and Roma3 have yet to notify their students about the incident.

How did LulzSec ITA hack the universities?

In the simplest way, the hackers used a classic and very simple SQL Injection attack. Such kind of attack could be automatically launched by using very simple tools. SQL Injection attacks can allow attackers to access the target database.

It is embarrassing that universities could be hacked with a so simple technique. The hacktivists told me also that in some cases, they were able to bypass login pages without knowing the username and password, just using simply using SQL Injection strings.

Pierluigi Paganini

(SecurityAffairs – LulzSec ITA, hacking)