A penetration test conducted for a UK government agency came out with one simple conclusion - 100% of UK universities and academic institutions have shockingly weak cyber security. Just ask the University of Sunderland.
First Published 8th April 2019 | Latest Refresh 18th August 2022
Universities aren't making the grade.
4 min read | Reflare Research Team
Problems on top of problems
Academic institutions continue to be the focus of exploitative and malicious cyber attacks.
Most recently, a targeted intrusion adversary named Aquatic Panda (believed to be from mainland China) has been seen exploiting the critical flaws in the Apache Log4j logging library. While this allegedly state-sponsored group has primarily focused on communications companies, tech firms, and government departments, it is reported by CrowdStrike that academic institutions are now also being targeted.
We highly recommend that those responsible for the security of academic institution systems and networks make themselves familiar with the vulnerabilities and risks associated with the Apache Log4j exploit, which they can do so by reviewing our research on Log4j and the Open-Source Rebellion.
Can academia defend what's coming?
As academic institutions clearly become a more attractive target for hackers, the cyber resilience of universities still leaves much to be desired.
In the not-so-distant past, the BBC reported on a penetration test performed against UK universities that quickly resulted in severe breaches. In this research report, we will take a look at the techniques used, why universities are relatively unprepared and what attackers seek when hacking into university networks.
A penetration test ordered by Jisc - the government agency providing internet access to UK universities - showed that 100% of tested universities were successfully hacked with most of them only fending off attackers for 1-2 hours. According to their published report, most breaches were achieved using Spear Phishing attacks.
What is Spear Phishing?
Most of our readers will have heard of Phishing attacks. Here, attackers send fake emails to victims in order to trick them into revealing login credentials or other critical information. Spear phishing attacks take this approach further by tailoring the emails to the victim.
Imagine for a moment that your name is John and that you are working as a non-technical administrator at a UK university. You know Sally, the head of IT, personally.
A general phishing attack may look like this:
Dear User,
Your account is about to expire!
Please log in here to prevent expiry.
hxxp://evil.com/login
Thanks
While even such basic attacks are frighteningly successful, a spear phishing version of the same email may look something like this
Hi John,
As you may have heard during Monday’s staff meeting, we are upgrading the security of our systems. For technical reasons that I won’t bore you with, this requires that you log into the staff panel before 5pm today. In case you forgot the link, it’s at hxxp://evil.com/login.
Sorry to bother you with this, but it is to keep us all safe.
Best,
Sally
The spear phishing attack is significantly harder to detect. Reflare’s own penetration testing experience shows that up to 3 out of every 5 victims fall for well-crafted spear phishing emails the first time they are encountered.
If the victim has access to confidential files, this can have catastrophic consequences.
Why are universities being attacked?
Universities present a target that is relatively weakly secured and offers relatively high rewards. While undergraduate assignments and exam scores are of little interest to external attackers, research data can be highly valuable to companies in the private sector and foreign governments. The ease with which UK universities were hacked during this penetration test combined with the high value of information stored on university systems makes it highly likely that actual successful attacks by criminals against universities are a regular occurrence.
Case in point
Hackers who conduct these sorts of attacks understand that 'right timing' can hugely increase the value and impact of their work. The University of Sunderland was hit by an attack at what can be argued as the worst possible time; the start of the first in-person academic year after the COVID-19 pandemic.
As you could imagine, being hacked as thousands of students return to campus would be incredibly disruptive, which is exactly what a hacker would want. The university's vice-chancellor, Sir David Bell, said this "frustrating" attack had disabled the institution's entire IT system. Although the University did not say who was behind the attack or what type of hack had taken place, it is believed to be ransomware which has encrypted and locked the IT system until a ransom payment is made.
Another recent example is Ottawa’s French-language public school board Conseil des écoles publiques de l'Est de l'Ontario (CEPEO), which fell victim to a breach where 75 gigabytes of files were seized from a server in their main offices. Even though the Law enforcement and the Information and Privacy Commissioner of Ontario were advised of the attack, the data of employees, students and alumni were critical enough that CEPEO paid the hacker’s ransom.
Summary
One of the most common ways of delivering ransomware into a system is through (surprise) spear phishing attacks, which are extremely hard to detect. Please never trust an email simply because it appears to come from someone you know. Always check the recipient’s email address before answering and confirm the authenticity of any websites you visit.
Universities are relatively soft targets that own relatively valuable data. In combination with the apparent ease of attack, this indicates that successful hacks against universities will remain somewhat common until there is firm action taken to address their vulnerabilities. Improving the systems and processes within their IT can be complex, expensive, and take time to implement.
However, upskilling the cyber security capabilities and threat awareness of the staff and students can be cost-effective, quick to implement, and make a significant impact on mitigating the risks of this happening to other universities.
Additionally, it is important to understand that there are many other types of cyber threats that universities are exposed to. Staying on top of the latest emerging cyber security trends can give academic institutions the opportunity to proactively reduce the risks to their IT systems and networks. Subscribe to our Reflare Research Newsletter to stay up-to-date, and check out some of the related stories below to learn more.