A former University of Kansas freshman, in fear of flunking out, successfully used a device called a keystroke logger to steal instructors’ confidential login information, hack into multiple campus computers and change F’s to A’s, according to an arrest affidavit in the case.
Although the hacking apparently went unnoticed for most of two semesters, the student eventually got caught and is now facing a string of felony computer crime charges.
An affidavit supporting the arrest of Varun H. Sarja outlines the KU police investigation into the case and Sarja’s admission to detectives that he hacked into the system to change almost all of his 10 grades during the 2016-17 school year.
The Journal-World recently requested the affidavit from Douglas County District Court and received it Wednesday. Allegations in the document have not been proved in court.
Sarja, of Olathe, is charged with eight counts of identity theft, nine counts of unlawful computer acts and one count of attempted unlawful computer acts — 18 counts in all, and all felonies. He allegedly committed the crimes from December 2016 through May 2017, according to the charges.
Sarja made his first appearance in court Jan. 16 for charges that were filed Nov. 8, according to court records.
Sarja is no longer a KU student but was a freshman in engineering for the 2016-17 school year, KU spokeswoman Erinn Barcomb-Peterson confirmed.
Keystroke loggers, which start at around $20 and are sometimes made to look like USB drives, are often used by cybercriminals to steal personal information from public computers and keyboards.
The devices plug easily into computers and record every keystroke that’s typed, enabling hackers to obtain others’ usernames and passwords for accounts and computer systems.
According to the affidavit in Sarja’s case, prepared by a KU police detective:
Sarja was on academic probation in spring 2017, and after being surprised to see he had an A in math, a School of Engineering academic adviser and the math professor began checking into it. The math professor said that although his personal records showed Sarja got F’s for the fall and spring semesters, those grades had both been changed to A’s.
Police began contacting Sarja’s other instructors. After checking records, many of them also found that Sarja’s grades had been changed and said they didn’t do it or give anyone their login credentials. That included class grades entered in KU’s “Enroll and Pay” system and some individual assignment grades entered in the “Blackboard” system.
Some F’s had been changed to A’s, one C became an A, and in one case an F was changed to a B — which the instructor noted was conspicuously entered as lowercase ‘b.’
Upon searching Sarja’s phone, police found an apology letter that Sarja wrote to KU IT as well as a document listing several KU instructors’ usernames and passwords. The phone also showed Sarja had searched for the phrase “email keylogger.”
KU police attended a July 20, 2017, hearing to remove Sarja from the university, and interviewed him multiple times throughout the investigation.
Sarja told a detective he had changed all but two of his 10 grades at KU, and he had obtained about 10 username and password combinations to do it. He said he plugged a USB key logger into campus computers to get usernames and passwords, but threw it away when he moved out of the KU residence halls at the end of the spring 2017 semester.
In at least one attempt, Sarja was not successful.
In early May 2017, Sarja tried to insert a USB stick into computers in Wescoe Hall, telling a KU IT employee he was there “to complete a security check.” But the KU IT employee turned Sarja away because he didn’t have “the proper credentials,” then contacted police.
Sarja told detectives he was scared to tell his parents he had failed classes and wanted to be successful.
“He changed his grades because he loved engineering and if he failed he would no longer be able to pursue engineering,” according to the affidavit. “Sarja stated he also didn’t want to let his parents down, and he hadn’t done as well as he would have liked to.”
The Journal-World reported in October that KU police had investigated the case and that the district attorney was reviewing it for charges.
Police, the DA and KU officials at that time would not confirm whether that investigation was into the same cybersecurity breach reported earlier that month by the Journal-World, in which a KU engineering student used a keystroke logger to obtain faculty members’ login information and passwords and changed his failing grades to A’s. The newspaper reported the breach after details were shared at a KU School of Engineering Senate meeting.
University officials said at the time that the hack “was minimal and caught quickly” and that a “disciplinary process is taking place for the person responsible.”
Barcomb-Peterson did not respond to a request for further comment Wednesday.
Sarja’s listed attorney, John Kerns, did not return messages from the Journal-World Wednesday afternoon.
Sarja has posted bond of $2,500 and remains out of custody. His next court appearance is scheduled for Feb. 13.
• Oct. 31, 2017 — District attorney considering charges in KU computer crime case