Universities – In the Cyber Firing Line

Universities – In the Cyber Firing Line

White Paper by Lawrie Abercrombie, Arcanum’s Technical Director

Cyber-attacks against universities hit the news again last week with reports that Iranian Hackers targeted 18 in the UK, including several offering cybersecurity degrees certified by the National Cyber Security Centre (NCSC). As a result, the NCSC has just released its own guidance on how to defend universities against the top 3 cyber threats.

However, attacks against Higher Education are nothing new. The sector is a particularly ripe target due to the huge amounts of personal information from students, staff and alumni; research data from academic, commercial and Government research projects and the comparatively vast amounts of money they handle. All in all, universities are an attractive target for almost every species of hacker on the planet.

We’ve been tracking these attacks for some time and have compiled and analysed data on successful cyber-attacks on universities worldwide going back to the earliest incident we found in 2002. Between then and now, there have been over 1,200 successful attacks on universities. Our analysis has concentrated on successful as opposed to unsuccessful cyber-attacks, most commonly those where data was stolen, malware has been discovered or websites have been defaced as opposed to where an attempted attack has been foiled.

We have not included DDoS attacks in any of our analysis for the simple reason it’s frequently impossible to define when a DDoS has successfully taken place. However, data collected by Jisc, the Education Sector’s Joint Information Systems Committee, suggests in their recent report that there is “evidence both circumstantial and from the justice system to suggest that students and staff may well be responsible for many of the DDoS attacks”.

The biggest source of data in our analysis is the USA where individual states have been gradually introducing mandatory breach reporting laws. In some cases, these predate GDPR by 14 years. Over 75% of the 1,266 attacks we’ve recorded worldwide since 2002 have been against US universities and the choropleth map at the link below shows a breakdown by state and year:
Successful Cyber-attacks on US universities between 2002-2018 by state and year – by Matt Abercrombie

The first incident we identified was a single attack in 2002 and is rather amusing. In an academic version of corporate espionage, Princeton University hacked into Yale’s website to find out about its admission decisions.
2003 had only a couple of hacks on US Universities, aimed again at harvesting personal information on students and staff for later resale. But in 2004, things start to get interesting as the State of California introduces the very first ‘Data Breach Notification’ law which essentially mandates that every organisation in California suffering a data breach must formally report any breach. That year Californian universities reported 3 data breaches which together reached very nearly two million individuals’ records.

Similar laws were enacted through the US over the next few years and, not surprisingly, the number of breaches reported by US universities soared. Universities in 23 states reported breaches in 2005, in 27 states in 2006, 30 in 2012 and in 2017 universities in 42 states reported a total of 226 successful attacks against them. As an aside, the only US state where we have found no evidence of a successful cyber-attack is Wyoming.

The requirement to inform individuals that their personal information had been compromised has had several effects in the US Higher Education sector. Most notably:

• Universities have had to provide credit monitoring of periods of 1, 2 or even 3 years for those whose information has been compromised;

• University selection for less well-known institutions has been impacted as students avoid those that are historically likely to suffer a breach;

• Universities have almost universally taken out cyber-insurance to cover the costs of breach notification and rectification, including credit monitoring;

• All universities have a dedicated cyber-security capability, including a Chief Information Security/Data Protection Officer;

• Salaries for skilled cyber-security personnel are now considerably higher in the US than elsewhere in the world.

But cyber-attacks on universities are not just a US issue. 2004, the year that the Californian Breach Notification laws were introduced, also saw the first recorded cyber-attack on a non-US university when Nanyang Poly in Singapore had personal details of its alumni stolen. But there were no effective ‘Data Breach Notification’ laws outside the US, and so reports on Non-US universities are sparse until 2011 when universities in Australia; Canada; India; Italy; Pakistan and the UK were all hacked.

Over the next few years, the numbers of attacks continued to rise as did the range of targets. 2016 was a seminal year; it saw the first reported attacks on Chinese, German, Taiwanese and Indian universities and a change in the focus of the attacks away from stealing user ID and passwords. The attack on Taiwan’s National Defence University espionage related to academic research being stolen while the attacks in China, India and Germany were all motivated by political activism of one sort or another. ISIS left jihadist propaganda on China’s Tsinghua University’s website; Pakistani Hackers took revenge for an Indian hack by defacing Utkal University’s website while printers and photo copy machines on university campuses across Germany spontaneously shot out flyers filled with anti-Semitic content.

2016 was also saw the rise of Ransomware with Canada’s Calgary and Carlton Universities and Queen’s Belfast all receiving demands for bitcoins by cyber hackers after their computers were targeted in ‘ransomware’ attacks. Being hit once is bad enough but Bournemouth University revealed in August 2016 that it had been hit 21 times by Ransomware in the last year.

By mid-2017, universities in 45 countries as diverse as Norway and New Zealand; Belgium and Bangladesh or Mexico and Morocco had all been hacked.

Overall, the UK ranks second in the global Higher Education target list but with under 100 attacks in the same time frame, has less than 8% of the US total. India is in third place, mainly tit for tat attacks from Pakistan, followed by a clutch of countries including Australia; Canada; China; France; Germany; India; Italy; Japan and Turkey, each with between 10 and 20 recorded attacks.

The vast discrepancy between the US and the rest of the world is largely due to Reporting Bias since US universities legally must report all breaches, which has not been the case elsewhere. There is also an element of Search Bias in our results as we are essentially dependant on reports being made available in English as opposed to any other language. For instance, we could only find one report of an attack on a Spanish University, although there are at least 80 in the country and Spain is statistically the fourth most attacked country in Europe.

The new EU General Data Protection Regulation (GDPR) which came into effect in May 2018 is liable to change the European statistics substantially. There are over 1,200 universities in Europe compared to approximately 1,500 in the US. We expect that within 2-3 years the numbers of data breaches reported at European universities will rise dramatically, with the other changes that are noted above also being reflected across the UK and European Higher Education sectors.

The individuals, groups, and organisations responsible for hacking computer systems have myriad different reasons for doing so. These range from the merely curious through revenge, to financial, economic, military and political gain. In general, the Threat Actors behind these attacks target completely different organisations. However, we have noted all of these Actors operating in the Higher Education sector in general and more specifically against Universities.

The motivation for most of the 1,400 plus attacks we’ve analysed between 2002 – 2018 appear to be criminal, namely the theft of personal data that can be sold for a profit. Some of these attacks have been opportunity led whilst others suggest organised criminal intent. For example, a Russian hacker known as Rasputin has reputedly hacked at least 30 universities worldwide including the University of Delhi, the University of the West of England (UWE) and the University of Mount Olive and then sold the details he stole. As an example of the scale and success of cyber-crime against universities, by the middle of 2018, over 13,930,000 e-mail addresses and passwords relating to US universities alone have been found for sale on Dark Web sites.

Some attacks have been by relatively young and inexperienced hackers out to make a name for themselves. These are usually manifested in web-site defacement or stealing user names and passwords and leaving a small selection on a public website such as pastebin.com as proof of the hack. In May 2013, Makabylie’ a 15-year-old Algerian hacked two French universities just because he could. Interestingly, one of the two was Lille University, reputedly the 10th time it had been attacked that year.

There have also been a considerable number of politically motivated attacks. In the US in 2016, Andrew “Weev” Auernheimer, a right-wing extremist, hacked the print servers of several universities including Princeton, Brown University and the Universities of California and Massachusetts causing them to spill out racist propaganda. The ‘Cyber Armies’ of Pakistan and India regularly deface each other’s university web sites while in the UK, a group supporting Julian Assange targeted Cambridge and Leeds Universities in 2012.

As indicated by the Jisc report, not all attacks come from outsiders. In 2012, a candidate for president of the California State University student body was charged with tampering with the University’s computers to alter the election results. In September 2015, an ex-member of staff at the University of London launched a cyber-attack against the senior manager responsible for his dismissal.

A much less frequently observed motive is industrial espionage by Nation State sponsored attackers. Although it has happened, it is, by the very nature of the sophisticated methods used, very hard to detect and even harder to attribute to a specific organisation or country.

But some Nation States aren’t as good at others at covering their tracks. Iranian hackers have tried to access the research of Israeli physicists’ and nuclear scientists at Haifa University; Chinese hackers reportedly targeted military related research at the National Defence University in Taiwan; the University of Virginia and Pennsylvania State in the USA while last September, The Times released a story about “Hundreds of successful cyberattacks on British universities each year, targeting scientific, engineering and medical advances including research into missiles”.

It’s a threat that has been well known for several years. As far back as April 2011, the US Federal Bureau of Investigation released a White Paper titled “Higher Education and National Security: The Targeting of Sensitive, Proprietary and Classified Information on Campuses of Higher Education”. Although US centric, it warns very clearly that some foreign nations continually attempt to gain political, military, and economic advantages by stealing intellectual property from Western Universities.

Somewhat perversely, it’s not only the traditional bad guys of the Intelligence World who are interested in University IT systems. In 2010, the ‘Tribune de Geneve’ a Swiss paper reported that the US National Security Agency had used servers from the University of Geneva to launch worldwide cyber-attacks in 49 countries. The company that handles the University’s network confirmed that three servers had been hacked around 2003 but did not release any further details.

One of the many conclusions to be drawn from the analysis of breaches is that there is no single defence mechanism which will protect universities and their data. Only a carefully designed and implemented defence in depth strategy can provide any degree of protection.

One of our previous White Papers, No Silver Bullets, whilst focused on layered defences against ransomware, is equally applicable to the data theft and espionage scenarios and has some useful guidance. If you want to know more about cyber-attacks and data breaches at universities, the use of Digital Forensics to track and analyse breaches or generally how to reduce your cyber risks, you can find more information on our website or email contact@arcanum-cyber.com and we’ll be happy to chat.

Lawrie Abercrombie M.Inst.IISP is Technical Director at Arcanum IS Ltd, a specialist Cyber Risk Management Consultancy working with Businesses, Government and Defence Industry.