What Happens at Uni, Stays... Why Did Higher Education Become a Low-hanging Fruit for Cyberattacks?

Higher Education as a Target

On February 5, 2020, the University of Maastricht released a statement that it had paid 200,000 euros ($220,000) in ransom to hackers, who crippled the University's systems with an attack, blocking several systems, including email as well as incapacitating many on-campus computers. The attack unfolded on December 24, 2019 during the Christmas holidays. It is believed that adversaries initially penetrated the University email using a phishing technique and were eventually able to escalate the adverse effects, essentially freezing the work across the University network. The University of Maastricht Vice President Nick Bos told Reuters: "The damage of that to the work of the students, scientists, staff, as well as the continuity of the institution, can scarcely be conceived." The adversaries demanded 30 bitcoins in exchange for restoring the networks and systems, which were paid to them.

Unfortunately, the University of Maastricht is not unique in their experience. Here are several notable examples. In 2016, the University of Calgary in Canada paid 20,000 Canadian dollars ($15,780) in bitcoins when an attack similar to that on the University of Maastricht was executed by a team of hackers. In 2019, over 62 higher education entities (colleges and universities) were affected by the exploit attack, when adversaries took advantage of vulnerability in the Ellucian Banner higher education enterprise resource planning (ERP) system. The adversaries gained unauthorised access to colleges' and universities' enrolment and created thousands of fake student accounts. Through these accounts, the attack proceeded to affect college and university systems. In response, Ellucian released a security patch to fix the software and address the vulnerability. Recently, Monroe College in New York City got a $2 million ransom demand from hackers who managed to lock out its staff and students from the College's website, learning management system, and email. In the UK, the prevalence of the higher education attacks warranted the National Cyber Security Centre (NCSC) to issue a warning to all universities, urging them to take proactive measures against cyberattacks in 2019. Of course, the list does not ends there.

Why Are Universities Attacked?

Cyber attacks on higher eduction have become commonplace for several reasons.

Money - most universities are highly profitable organisations, yet, many of them are easier to penetrate than, say, banks or private sector companies. There are many reasons for this, including the fact that cyber security teams in the private sector are better resourced and, let's face it, better financed to attract the best talent on the market. Since the majority of adversaries are motivated by financial gains, there is always a good chance that a university will pay ransom in exchange for restoring its "business as usual" equilibrium.

Information - universities collect a whole range of personal information data points about students and staff, including information that is not replaceable (for example, social security numbers or equivalent tax numbers). Since over 60% of all data breaches in the world target identifying information, clearly, universities become a lucrative piece of cake for adversaries.

Intelligence - apart from being a source of money and information, universities also a great source of intelligence. Many academics are involved in important research projects (sometime dealing with confidential or even secret data) so some attackers concentrate on gaining unauthorised access to valuable research data and outputs.

Accessibility - most universities are accessible. Multiple devices (including personal devices), multiple apps and software, as well as open networks operate on university campuses, creating endless opportunities for adversaries to penetrate.

Lack of cyber security literacy - cyber security education is practically non-existent in many universities. On the one hand, student population is large, dynamic, and constantly changing. This means that, unlike companies, universities need to invest significant amounts of money into cyber security education in order to be able to receive sufficient return on investment into such education. On the other hand, the training is often not even available to university academics and staff. For example, in my entire academic career I only worked for one university, where I had to take an online course in cyber security. In fairness, there is some positive movement in the direction of development of new cyber security education and training in universities and colleges around the globe.

The Uncomfortable Truth

Are there actually any prevalent attack methods?

Phishing is still a popular "weapon" of choice for many adversaries as the it is relatively cheap to administer and easy to orchestrate. Just think about it: while private companies typically make individual emails difficult to locate and obtain; the nature of the academic work is that the majority of identities (names, affiliations and work addresses) as well as emails are very simple to find and scrape from the university website. As a result, many academics and students receive phishing emails in bulk and on a daily basis. My personal favourite phishing email which recently landed in my mailbox was one pretending to be from the Dean of my School. It was asking whether I was around and whether I could "quickly send [her] a bit of money", because she "left her wallet in her office and needed some cash to pay for dinner with important university alumni". The whole things sounds ridiculous, of course, but you would be surprised if I told you how many people were actually fooled by this email. This attack required very little: just obtaining names, titles and emails from my School's pages and then sending everyone an email masquerading as a Dean.

Most of the time, however, the attackers use something less sophisticated. They send a simple email saying that your mailbox is over quota or that your email is blocked until you confirm some personal information. Here is a nice example from the University of Rochester:

Source: University if Rochester, 2013

Spear phishing is another frequently used way to get in. Recall the recent attack on the Australian National University, which started with a spear phishing targeting a senior member of staff, whose email was hijacked and contacts ripped off to orchestrate another spear phishing campaign, which hackers used to steal account and password information without members of staff even clicking on any attachments. By taking control over these credentials, the attackers eventually gained access to over 200,000 records of staff and student confidential information held by the university. The attack unfolded according to the following rationale:

Source: Australian National University, 2019

Exploiting software vulnerabilities is another commonly used technique, when adversaries take advantage of software imperfections as in the case of the Ellucian Banner higher education enterprise resource planning (ERP) system attack described above.

Sophisticated social engineering is sometimes employed by the cybercriminals. For example, at a recent cyber security conference I heard an account of a complex attack on an undisclosed university, where attackers leveraged on the reorganisation of the HR systems. They replicated the HR website and, by sending phishing emails to the university staff, redirected them towards the fake HR system, where account credentials were mass-harvested. The attackers then recruited a couple of dozen "workers" from the university's student population for part-time jobs and told them that they would be paid relatively small amounts of money for answering some surveys. The recruitment process was very realistic with personal information collected from the "workers". The adversaries even administered Skype interviews and issued contracts! Over the winter holiday period, the hackers infiltrated the HR systems and changed the bank account information of highly paid university staff, replacing their bank information with that of "workers". Since highly paid staff were targeted, this ensured that not many people actually discovered the problem on their bank accounts immediately. Meanwhile, each worker instead of getting, say, the promised 700 units of undisclosed currency received 10,000 or 20,000 times as much. The attackers then contacted the "workers", explaining that "a payroll mistake was made" and asked them to transfer the difference between their agreed salary and the amount received to their "employer company" bank accounts (allegedly in Eastern Europe and China). The attack was not spotted until after the winter holidays, by which time the stolen money was hidden and scammed "workers" allegedly faced money laundering charges. Obviously, there are many gaps in this story and many questions one would want to ask, yet, it give us some idea about how inventive adversaries can be in applying social engineering techniques.

Take Aways

Universities are commonly targeted by adversaries in pursuit for money, information, intelligence, easy target access or vulnerable populations. It seems that many of current threats require both technical and psychological readiness from the higher education institutions. Apart from concentrating on patch management, training programs need to be developed in order to educate university staff and students to spot potential attacks, making university networks and computer systems less vulnerable to cyber security breaches.

#cybersecurity #informationsecurity #datasecurity #infosec #cyberrisks #cyberthreats #behaviouralscience #humanbehavior #responsibility #digitaltwins #humandigitwins #privacy #highereducation #exploit