Rise in Cyber Attacks on the Education Sector: Universities Get Schooled
By Rhiannon Hughes
The education sector has been subjected to an increase in cyber-attacks since 2020. The National Cyber Security Centre (NCSC) has reported a steep increase in attacks on the sector beginning in August 2020 and again spiking in February 2021. The sharp turn to online learning due to COVID-19 has undoubtedly provided malicious actors with new attack vectors to access academic infrastructure and access personal information belonging to staff and students, in addition to intellectual property. Microsoft claim that the education sector is currently the industry most affected by enterprise malware encounters with approximately 5,454,568 devices affected by malware in the last 30 days. The rise in attacks has been highlighted by the alert raised by the NCSC, “Further ransomware attacks on the UK education sector by cyber criminals”.
In May 2020, numerous UK universities, alongside others globally, were hit by the Blackbaud hack that compromised customer data. The attack affected at least ten universities, including the University of Oxford where the data stolen included sensitive information such as phone numbers. Blackbaud badly handled the attack and only reported the breach to the Information Commissioners Office (ICO) weeks after they were aware. In addition, Blackbaud paid the ransom request in exchange for the attacker deleting all the stolen data. This is a poor approach to take as not only does it encourage further attacks, but there is also no way of guaranteeing that the attackers actually deleted the stolen data. Attackers were able to breach so many institutions because the Blackbaud hack involved popular third-party software. The universities that were hit were not specifically chosen by the attackers, but they happened to be using that software.
Recently, several universities have been victims of much more targeted attacks…
Northumbria University was the victim of a cyber-attack in September 2020. The attack caused disruptions across their networks and forced the university to close its campus. The clearing hotline was interrupted, and exams had to be postponed.
Shortly following the attack on Northumbria University, Newcastle University was breached by ransomware gang DoppelPaymer. The same day as breaching the systems and taking sensitive data about staff and students, the attackers were able to steal the university’s backup files.
On the 24th of February 2021, an attempted cyber-attack caused Queen’s University in Belfast (QUB) to suspend access to its university systems. The university was able to mitigate the effects of the attempted attack and there was no apparent data breach.
All IT systems belonging to Hertfordshire University were disrupted by a cyber-attack in April this year. As a result of the attack, all online learning was suspended for two days.
Sunderland University is the latest academic institution in the UK to fall victim to a cyber-attack. Key infrastructure such as telephone, website and IT systems were brought down as a result of the attack. The university had to cancel all online lectures. Systems were still disabled a week after the attack.
So why has the been such a steep rise in cyber-attacks on the education sector?
One of the most significant causes is the shift to online learning due to COVID-19. The sharp change meant lectures, seminars, exams and library resources all had to move online quickly, not leaving much time for IT teams to secure the systems. The increased use of teleconferencing applications such as Zoom and Microsoft teams also provided malicious actors with new attack vectors. The quick change to online learning meant that IT teams lost a lot of visibility over their systems. Students were no longer on campus, in fact, a lot of students returned home to countries around the globe, meaning it has been extremely difficult to actively assess if login and system access requests are coming from students studying at home, or attackers. Staff and students accessing services remotely means that they are no longer protected by universities robust firewalls, or restricted by policies and technical restrictions from sites or services that could lead to malware.
Universities are also a prime target for attackers due to the lack of cyber security awareness amongst students creates a weakness in university systems. The majority of students are unlikely to manage their passwords, check if sites they are visiting are secure or be aware of phishing emails directed at their university email accounts.
Universities are also attractive targets for attackers because of the amount of valuable data that they hold. Academic institutions tend to handle a lot of personal information on both staff and students including, names, date of birth, emails, phone numbers addresses, academic records, and payment information. All this data is perfect for attacks to hold at ransom to receive a big payout in exchange for the breached data being deleted.
Academic institutions are appealing to attackers because of the research data and intellectual property that they handle. The attackers that go after this data tend to be different from the attackers who attempt to breach PII data. Rather than being from cyber gangs whose motivation is to make money through ransomware, state-sponsored attackers breach university systems to steal confidential research that would otherwise not be available to them.
The NCSC reports that whilst ransomware and cyber-crime causes the most evident disruption for universities, state-sponsored espionage causes extended damage. State-sponsored espionage is a particular threat to universities that have an academic record of publishing world-leading research. Stolen intellectual property gives others the chance to take someone else’s research and publish it first. A prominent example of this in the media is the breach of Oxford University’s Division of Structural Biology in February. According to an investigation by Forbes, during the breach attackers were able to access machines used to purify and prepare biochemical samples. It has been widely speculated that the attackers were seeking research about COVID-19 or the vaccine. The attackers alleged to be responsible for the Oxford University hack appear to be financially motivated actors hoping to sell the data onward, however, they have been linked to government hackers.
Universities and schools have a hard time combatting cyber-attacks because there is a general lack of funding and time allocated towards cyber security.
The core business function of a university or school is to deliver education to individuals and with tight budgets, resources are often driven towards essential items such as learning equipment. This means that the bigger picture of security and business continuity is pushed back at times.
Overall, universities are vulnerable to cyber-attacks because of the size and nature of their networks, and the valuable research data they handle. So how can universities protect themselves? Whilst having robust technical controls such as anti-malware software and firewalls is essential, universities can also protect themselves by increasing user awareness. Staff and students should be trained on how to spot and report phishing emails, how to create strong passwords and how to update operating systems and applications on any personal devices that are used to access university infrastructure. These simple steps could be the added layer of protection that saves an institution from a costly breach.