Cyber attacks on higher education institutions are on the rise across the globe, with multiple, unconnected attacks hitting the headlines in the last couple of weeks. Firstly, students at Lancaster University fell victim to a phishing attack, with fraudulent invoices sent to a number of students who had applied to join the university. A week later, students at the University of York were also breached, with the data of 4,400 students accessed.
This issue is not contained to the UK: at the same time as these breaches, the Louisiana Governor declared a state of emergency as multiple security breaches hit school systems.
Higher education may not seem like an obvious target for cyber attackers - quite different from the critical national infrastructure or financial institutes that we are used to hearing about, and where hackers’ motivations are more clear cut. So, why are education institutions increasingly becoming a target?
There are multiple reasons for this. For one, universities cannot enforce security controls on the equipment brought onsite by students, meaning there are thousands of potential entry points for hackers to make the most of. Additionally, Universities provide very high bandwidth internet access in order to support all of their students, making them a potential target for cyber-criminals who want to use the connectivity in disruption attacks against others.
Crucially, universities have extensive databases on thousands of students and staff, which include rich assets that are attractive to cyber attackers - such as personal, financial, and R&D data. Combined with the fact that the security of universities may be seen by an attacker to not be especially advanced, this makes them an attractive hit.
Data stolen from universities could be used in a number of ways - such as to commit fraud, or steal IP - and with such a variety of possible options available for hackers to get their payout, it’s unsurprising that they are focusing their efforts here.
Financial gain isn’t the only goal
Looking beyond just financial gain, there are a number of other reasons why cyber attacks are hitting education institutions more frequently. For one, cutting edge research takes place in universities, and the theft, manipulation, or destruction of such data is potentially another motivation for hackers. This is where Geopolitical objectives might come into play. The line between financially motivated attacks and state-sponsored attacks is often a very thin one, and sometimes attacks have dual objectives.
In this sphere it has also been observed that nation-state backed hacking groups are utilizing academia as a cover up for malicious campaigns. For example, in June we uncovered a phishing campaign with hackers masquerading as members of Cambridge University to gain victims’ trust in order to open malicious documents. This attack was conducted by the group identified as APT34, an Iranian-nexus threat actor.
In this case, the campaign took place over LinkedIn, which has proven to be an effective delivery mechanism if a targeted organization is focusing heavily on e-mail defenses to prevent intrusions. The targeted employee conversed with ‘Rebecca Watts’, allegedly employed as ‘Research Staff at the University of Cambridge’, who shared a malicious file disguised as a resume form for potential job opportunities - which then transferred malware, which the group are known to use.
This campaign demonstrates the extent to which cyber attackers are exploiting education institutions - not just targeting their data but also using their authoritative status in society as a means to attack others. While Cambridge, and its students, might not be taking a direct financial hit in the case of this attack, its reputation might be. Universities have to consider a very complex and serious threat landscape.
Which hacking methods are most affecting universities?
The continued rise of ransomware is one way that universities are falling victim to hackers, particularly in more opportunistic attacks. On the dark web today, ransomware kits are available for purchase relatively cheaply, meaning anyone could attempt an attack on an institution, whether that be for hope of a payout, or a personal vendetta.
To reduce the likelihood of these - or any - attacks being successful, good cybersecurity hygiene is required. Known vulnerabilities should be patched quickly, and comprehensive malware prevention must be implemented.
However, phishing is still the primary way that cyberattacks are carried out. Although phishing is a relatively basic hacking method, it continues to be very successful, due to its reliance on manipulating people’s trust. It only takes one individual to click on a malicious link for attackers to infiltrate university databases in order to get their desired outcome - whatever this may be. Therefore, it is essential that staff and students alike are trained on recognizing when an email is in genuine, and best practice to follow, such as not clicking embedded links.
It’s time academic institutions acknowledge the risk they are under
Universities may not have dedicated cyber security recourses that organizations of a comparative size might. However, with their data rich environments, and the line between financially motivated attacks and state-sponsored attacks becoming more and more blurred, changes must be made.
Clearly, universities and other higher education institutions must accept that they have become a target for hackers, and take thorough measures to protect themselves, their staff, and their students.