Bringing cybersecurity globally to critical and complex key activities
Understanding the cyber threat:
Schools and higher education institutions were among the most popular targets in 2021. According to Checkpoint, Education and Research was the industry most targeted by cyberattacks in 2021, with organizations facing 1605 security attacks per week. This figure represents a 75% year-on-year surge. For comparison, cyberattacks across all industries have increased by 50% over the period. The reasons behind this growth appear as both structural (valuable user data, chronic under-appreciation of cybersecurity), as well as cyclical with the complex adaptation of pedagogical methods to the COVID 19 pandemic. This combination of factors seems to explain why, despite the sector facing major challenges such as a lack of staff and a lack of funding and resources, the prevalence of cyberattacks seems to be increasing year after year, as breaches in schools and higher education are widely reported.
The NCSC (National Counterintelligence and Security Center) continues to respond to an increased number of ransomware attacks affecting education establishments in the UK, including schools, colleges, and universities. Three reasons can be put forward to explain the attractiveness of the sector for the cybercriminal ecosystem.
First, universities and educational institutions hold valuable data that can be mined. They have valuable information about students and employees, namely medical records, PII (personable identifiable information) and financial information.
Second, their attack surface has grown rapidly over the past two years. Most companies are increasingly adopting new cloud and digital platforms, allowing them to be much more effective than in the past. Educational institutions are no exception to this trend. Indeed, many had to react quickly to challenging remote working conditions to add new capabilities for engaging learners and storing files. COVID 19 in that regard created avenues for hackers to exploit remote systems. The limited budgets of certain institutions and notably pubic schools further contribute to their vulnerability.
Third, paying ransom in the event of computer systems being encrypted by ransomware often appears to be the most viable option for organizations that cannot justify halting educational services.
These arguments are reflected in the fact that 13% of educational institutions have experienced a ransomware attack. This compares to 5.9% for government institutions and 3.5% for healthcare organizations.
As part of a campaign that begun in April 2017, cyberattacks from Chinese attacker groups have targeted U.S. universities in an effort to collect military type intelligence. The information sought was related to underwater technology and although no public notice has been issued, some institutions may have been compromised. This demonstrates the value of academic research for states seeking information of strategic interest. Between 2013 and 2017, Iranian hackers had already implemented a phishing scam to recover the passwords of hundreds of professors of American universities.
Far reaching consequences often arise from cyberattacks on the education and research industry. The NSW Department of Education was hit by a cyberattack in July 2021, provoking an utter paralysis of the education system. In January 2022, Albuquerque Public Schools district fell off to a cyberattack. The attack forced the superintendent Scott Elder to announce the cancellation of classes for two days in a row. This affected 75,000 students, or one in five school children in New Mexico. Likewise, a ransomware attack forced Howard University to cancel classes and shut down campus network in September 2021. Some organizations turn to another solution, paying the ransom, thus having to bear a financial drop-off. The University of California, San Francisco decided to pay part of the ransom ($1,14 millions) demanded by the Netwalker extortion group in order to decrypt their system and recover their data. In 2020, 77 individual cyber-extortion attacks affected nearly 1800 schools and resulted in $6.6 billions of recovery costs alone.
With 20% of attacks being the work of an internal actor, educa - tional services are one of the sec - tors most affected by this threat. It can result in DDoS attacks from disgruntled students or staff. In September 2015, the University of London was affected by a DDoS attack from an employee who was targeting the senior executive res - ponsible for his dismissal.
Plenty of different behaviors are ob - served from ransomware operators with regards to the education and research industry. Some opera - tors have an ethic chart preventing them from infecting essential ser - vices such as government, health - care organizations and education institutions. Other operators do not abide by those strict principles and contemplate the sector as an easy target. In March 2021, the FBI is - sued a FLASH, a document alerting education institutions of the surge of attacks directed at the sector by the actor dubbed PYSA. The Grief ransomware is another cyber-ex - tortion actor targeting education institutions. In May 2021, the group stated it had exfiltrated 10 Gb of personal and internal data belon - ging to a school district in Missis - sippi. Schools in Virginia and Was - hington state were also allegedly hit by the Grief operators.
ATK13
> Alias
> Suspected origin countries
> Suspected targeted countries
> Target sectors
> Motivations
ATK73
> Alias
> Suspected origin countries
> Suspected targeted countries
> Target sectors
> Motivations
ATK51
> Alias
> Suspected origin countries
> Suspected targeted countries
> Target sectors
> Motivations
ATK78
> Alias
> Suspected origin countries
> Suspected targeted countries
> Target sectors
> Motivations
ATK133
> Alias
> Suspected origin countries
> Suspected targeted countries
> Target sectors
> Motivations
ATK17
> Alias
> Suspected origin countries
> Suspected targeted countries
> Target sectors
> Motivations
ATK29
> Alias
> Suspected origin countries
> Suspected targeted countries
> Target sectors
> Motivations
ATK32
> Alias
> Suspected origin countries
> Suspected targeted countries
> Target sectors
> Motivations
ATK103
> Alias
> Suspected origin countries
> Suspected targeted countries
> Target sectors
> Motivations
ATK35
> Alias
> Suspected origin countries
> Suspected targeted countries
> Target sectors
> Motivations
ATK2
> Alias
> Suspected origin countries
> Suspected targeted countries
> Target sectors
> Motivations
ATK27
> Alias
> Suspected origin countries
> Suspected targeted countries
> Target sectors
> Motivations
ATK1
> Alias
> Suspected origin countries
> Suspected targeted countries
> Target sectors
> Motivations
ATK40
> Alias
> Suspected origin countries
> Suspected targeted countries
> Target sectors
> Motivations
ATK15
> Alias
> Suspected origin countries
> Suspected targeted countries
> Target sectors
> Motivations