Education

(15) attackers < Back

Understanding the cyber threat:

Schools and higher education institutions were among the most popular targets in 2021. According to Checkpoint, Education and Research was the industry most targeted by cyberattacks in 2021, with organizations facing 1605 security attacks per week. This figure represents a 75% year-on-year surge. For comparison, cyberattacks across all industries have increased by 50% over the period. The reasons behind this growth appear as both structural (valuable user data, chronic under-appreciation of cybersecurity), as well as cyclical with the complex adaptation of pedagogical methods to the COVID 19 pandemic. This combination of factors seems to explain why, despite the sector facing major challenges such as a lack of staff and a lack of funding and resources, the prevalence of cyberattacks seems to be increasing year after year, as breaches in schools and higher education are widely reported.

The NCSC (National Counterintelligence and Security Center) continues to respond to an increased number of ransomware attacks affecting education establishments in the UK, including schools, colleges, and universities. Three reasons can be put forward to explain the attractiveness of the sector for the cybercriminal ecosystem.

First, universities and educational institutions hold valuable data that can be mined. They have valuable information about students and employees, namely medical records, PII (personable identifiable information) and financial information.

Second, their attack surface has grown rapidly over the past two years. Most companies are increasingly adopting new cloud and digital platforms, allowing them to be much more effective than in the past. Educational institutions are no exception to this trend. Indeed, many had to react quickly to challenging remote working conditions to add new capabilities for engaging learners and storing files. COVID 19 in that regard created avenues for hackers to exploit remote systems. The limited budgets of certain institutions and notably pubic schools further contribute to their vulnerability.

Third, paying ransom in the event of computer systems being encrypted by ransomware often appears to be the most viable option for organizations that cannot justify halting educational services.

These arguments are reflected in the fact that 13% of educational institutions have experienced a ransomware attack. This compares to 5.9% for government institutions and 3.5% for healthcare organizations.

As part of a campaign that begun in April 2017, cyberattacks from Chinese attacker groups have targeted U.S. universities in an effort to collect military type intelligence. The information sought was related to underwater technology and although no public notice has been issued, some institutions may have been compromised. This demonstrates the value of academic research for states seeking information of strategic interest. Between 2013 and 2017, Iranian hackers had already implemented a phishing scam to recover the passwords of hundreds of professors of American universities.

Far reaching consequences often arise from cyberattacks on the education and research industry. The NSW Department of Education was hit by a cyberattack in July 2021, provoking an utter paralysis of the education system. In January 2022, Albuquerque Public Schools district fell off to a cyberattack. The attack forced the superintendent Scott Elder to announce the cancellation of classes for two days in a row. This affected 75,000 students, or one in five school children in New Mexico. Likewise, a ransomware attack forced Howard University to cancel classes and shut down campus network in September 2021. Some organizations turn to another solution, paying the ransom, thus having to bear a financial drop-off. The University of California, San Francisco decided to pay part of the ransom ($1,14 millions) demanded by the Netwalker extortion group in order to decrypt their system and recover their data. In 2020, 77 individual cyber-extortion attacks affected nearly 1800 schools and resulted in $6.6 billions of recovery costs alone.

With 20% of attacks being the work of an internal actor, educa - tional services are one of the sec - tors most affected by this threat. It can result in DDoS attacks from disgruntled students or staff. In September 2015, the University of London was affected by a DDoS attack from an employee who was targeting the senior executive res - ponsible for his dismissal.

Plenty of different behaviors are ob - served from ransomware operators with regards to the education and research industry. Some opera - tors have an ethic chart preventing them from infecting essential ser - vices such as government, health - care organizations and education institutions. Other operators do not abide by those strict principles and contemplate the sector as an easy target. In March 2021, the FBI is - sued a FLASH, a document alerting education institutions of the surge of attacks directed at the sector by the actor dubbed PYSA. The Grief ransomware is another cyber-ex - tortion actor targeting education institutions. In May 2021, the group stated it had exfiltrated 10 Gb of personal and internal data belon - ging to a school district in Missis - sippi. Schools in Virginia and Was - hington state were also allegedly hit by the Grief operators.

X Reset

ATK13

> Alias

Group 88

Hippo Team

...

> Suspected origin countries

Russia

> Suspected targeted countries

Afghanistan

Belarus

...

> Target sectors

Aerospace

Defense

...

> Motivations

Espionage

ATK73

> Alias

Professional Adversarial Threat Group

TAG-CR4

...

> Suspected origin countries

United States

United Kingdom

...

> Suspected targeted countries

United Kingdom Of Great Britain And Northern Ireland

United States Of America

> Target sectors

Casino & Gaming

Education

...

> Motivations

Financial Gain

ATK51

> Alias

MERCURY

MobhaM

...

> Suspected origin countries

Iran

> Suspected targeted countries

Austria

Azerbaijan

...

> Target sectors

Defense

Education

...

> Motivations

Espionage

ATK78

> Alias

Thrip

> Suspected origin countries

China

> Suspected targeted countries

Philippines

Taiwan

...

> Target sectors

Aerospace

Communication

...

> Motivations

Espionage

Information theft

ATK133

> Alias

UCC

United Cyber Caliphate

> Suspected origin countries

Worldwide

> Suspected targeted countries

Australia

Egypt

...

> Target sectors

Aviation

Defense

...

> Motivations

Ideology

Notoriety

...

ATK17

> Alias

APT-32

APT-C-00

...

> Suspected origin countries

Vietnam

> Suspected targeted countries

Australia

China

...

> Target sectors

Communication

Defense

...

> Motivations

Espionage

ATK29

> Alias

APT 40

APT40

...

> Suspected origin countries

China

> Suspected targeted countries

Belgium

Cambodia

...

> Target sectors

Aerospace

Chemicals

...

> Motivations

Espionage

Information theft

ATK35

> Alias

APT 33

APT33

...

> Suspected origin countries

Iran

> Suspected targeted countries

Iran, Islamic Republic Of

Iraq

...

> Target sectors

Aerospace

Aviation

...

> Motivations

Espionage

ATK2

> Alias

APT 17

APT17

...

> Suspected origin countries

China

> Suspected targeted countries

Australia

Canada

...

> Target sectors

Aerospace

Defense

...

> Motivations

Espionage

ATK32

> Alias

FIN7

GOLD NIAGARA

...

> Suspected origin countries

Ukraine

Russia

> Suspected targeted countries

Australia

France

...

> Target sectors

Casino & Gaming

Communication

...

> Motivations

Financial Gain

ATK103

> Alias

GOLD TAHOE

GRACEFUL SPIDER

...

> Suspected origin countries

> Suspected targeted countries

Canada

Chile

...

> Target sectors

Education

Energy

...

> Motivations

Financial Gain

ATK27

> Alias

Dark Caracal

TAG-CT3

> Suspected origin countries

Lebanon

> Suspected targeted countries

China

France

...

> Target sectors

Defense

Education

...

> Motivations

Coercion

Financial Gain

...

ATK1

> Alias

DragonFish

Lotus Blossom

...

> Suspected origin countries

China

> Suspected targeted countries

Cambodia

Canada

...

> Target sectors

Communication

Education

...

> Motivations

Espionage

Information theft

ATK15

> Alias

APT 27

APT27

...

> Suspected origin countries

China

> Suspected targeted countries

China

Hong Kong

...

> Target sectors

Aerospace

Communication

...

> Motivations

Espionage

ATK40

> Alias

APT 34

APT34

...

> Suspected origin countries

Iran

> Suspected targeted countries

Azerbaijan

Mauritius

...

> Target sectors

Aerospace

Aviation

...

> Motivations

Education

Evidence that education is a target for cybercrime

Other motivation : use case shed lights on espionage-driven players

Cyberattacks with significant consequences

Other motivation : disgruntled employees/students

Famous ransomware gangs

Group 88

Hippo Team

...

Russia

Afghanistan

Belarus

...

Aerospace

Defense

...

Espionage

Professional Adversarial Threat Group

TAG-CR4

...

United States

United Kingdom

...

United Kingdom Of Great Britain And Northern Ireland

United States Of America

Casino &amp; Gaming

Education

...

Financial Gain

MERCURY

MobhaM

...

Iran

Austria

Azerbaijan

...

Defense

Education

...

Espionage

Thrip

China

Philippines

Taiwan

...

Aerospace

Communication

...

Espionage

Information theft

UCC

United Cyber Caliphate

Worldwide

Australia

Egypt

...

Aviation

Defense

...

Ideology

Notoriety

...

APT-32

APT-C-00

...

Vietnam

Australia

China

...

Communication

Defense

...

Espionage

APT 40

APT40

...

China

Belgium

Cambodia

...

Casino & Gaming

Casino & Gaming