Cyber-attacks against the education sector. When criminals go to university
Table of Contents
Cyber-attacks against the education sector can paralyse universities and research centres and lead to personal data and intellectual property theft
In mid-June, right at the end of the academic year and in the middle of exams, the Pompeu Fabra University in Barcelona suffered a cyber-attack that forced it to disconnect its internet systems to prevent it from spreading. A few weeks earlier, up to six vocational training centres in the Basque Country suffered a ransomware attack that led to the encryption of their data. On the other side of the Atlantic, in recent months, there have been cyber-attacks against the education sector that have affected institutions such as Stanford University and the University of Buenos Aires.
This trickle of security incidents proves that cybercriminals are targeting organisations in the education sector.
According to a UK government study, 85% of UK universities have identified security breaches or attacks in the last year. Although university institutions are the main target for criminals, the study reveals that 82% of higher education institutions have dealt with attacks. So did 63% of secondary schools and 41% of primary schools.
In the following, we will explore the factors that encourage cyber-attacks against the education sector and their typology and targets. In addition, we will highlight the importance of private and public organisations having cybersecurity services in place to prevent security incidents and respond effectively to attacks.
1. Drivers of cyber-attacks against the education sector
The world of education has been at the forefront of the digitalisation of society and the economy. Universities and research centres, in particular.
Today, most educational organisations operate digitally, from teachers in a training academy who teach online to teachers in a primary school who take roll calls from a tablet using an app to the student who enters the school’s virtual campus from his computer.
This high level of digitisation increases organisations’ exposure. It broadens the attack vectors that criminals can use to threaten business continuity or steal critical information such as intellectual property or financial data.
What factors contribute to criminals designing and implementing cyber-attacks against the education sector?
1.1. The rise of tele-education and the level of cyber-exposure
The pandemic caused by COVID has led to profound changes in the economy. One of the areas most affected by this crisis was education. In a matter of days, universities, institutes and schools had to implement teleducation strategies to enable millions of students to finish the academic year normally. This involved the implementation of tools and software and multiplied the number of devices from which organisations’ IT infrastructure is accessed.
While the health crisis led to an unprecedented spread of distance learning, distance learning has experienced sustained growth over time since the advent of the digital world. Thus, universities, training academies, and other entities offering courses, preparation for competitive examinations, and university and master’s degrees through distance learning have increased worldwide. In this sense, the Universitat Oberta de Catalunya, one of the most important distance-learning universities in Spain, suffered an attack that made it impossible to access its virtual campus at a critical time, such as the end of the term, when students had to hand in numerous assignments.
Today, teachers, researchers, students and parents can access essential web and mobile applications to work, evaluate students, carry out educational tests or consult students’ academic progress. This means that attacks can be carried out to breach personal devices beyond organisations’ control. For example, a university professor’s laptop or a student’s mobile phone. This makes early detection and remediation of security incidents difficult.
1.2. The information stored in education systems
Cyber-attacks against the education sector are very attractive to criminals not only because the attack surface is becoming more extensive but also because the systems of educational organisations store information of enormous value:
- Intellectual and industrial property generated by researchers.
- Personal data of teachers, non-teaching staff, pupils, alums, donors, suppliers…
- Contact details and addresses.
- Official documents such as DNI, NIE, Social Security number or passport.
- Financial information: bank accounts, card numbers, invoices, receipts, educational loans…
- Educational information: studies, qualifications…
This information can be used to extort money from organisations and their students or to launch new attacks to commit financial fraud. It is also easy to monetise by selling it on the Dark Web.
1.3. Existence of critical business periods
For e-commerce, the weeks of Black Friday or the Christmas campaign are crucial because they generate a massive volume of sales and revenue during these days. However, educational organisations also have critical periods, such as the start of the academic year and the end of terms, quarters or semesters. That is, the weeks when exams are held, assignments are due, and teachers have to report grades.
Cybercriminals take advantage of these periods to launch cyberattacks against the education sector and generate more damage to organisations.
As noted above, a month ago, the University of Buenos Aires, one of Latin America’s largest and most important educational institutions, suffered a ransomware attack at the endof the semester. During the incident, the institution’s servers were compromised, preventing teachers and students from accessing critical systems such as the distance learning programme. As a result, teachers could not upload grades, students could not access the tool through which they manage their subjects, and even the payment of Christmas bonuses to staff was delayed.
1.4. Lack of awareness and lack of funding
As in other areas, one of the reasons for cyber-attacks against the education sector is the lack of awareness and training of the people involved. From teachers to students, researchers, and even organisations’ suppliers.
Added to this is the fact that most managers in educational institutions lack cybersecurity knowledge and that, when it comes to budget management, insufficient financial resources are allocated to protect their technological infrastructures.
The use of outdated software and outdated equipment can lead to the emergence of vulnerabilities that malicious actors can exploit. Likewise, the absence of good cybersecurity practices facilitates the success of social engineering campaigns.
1.5. Proliferation of as-a-Service models and the number of potential attackers
While we have addressed the drivers of cyber-attacks against the education sector from the point of view of organisations, we must now consider a key trend in cyber-security that affects all sectors: as-a-service programmes.
Dozens of criminal groups offer Ransomeware-a-Service (RaaS) or DDoS-as-a-Service programmes on the Dark Web. These criminal business models involve marketing the techniques and means to carry out ransomware or DDoS attacks. This multiplies the number of potential attackers, as malicious actors do not need the knowledge or resources to develop malware or implement the infrastructure necessary for a DDoS attack.
At the end of 2023, Stanford University, one of the world’s most prestigious educational institutions, suffered an attack claimed by the Ransomware-as-a-Service group Akira, which had already masterminded other cyberattacks against the education sector.
2. Universities, research centres, academies, schools… A complex ecosystem
Although universities are, unfortunately, the protagonists of many cyber-attacks against the education sector, they are not the only target of criminals. No education-related entity can be considered safe.
2.1. Higher education and research
- Universities. They are a priority target because of their size, extremely high level of digitisation, and because a successful attack can lead to the theft of valuable intellectual property, breach of thousands of people’s personal data and high ransom demands. As soon as 2024 began, Memorial University of Newfoundland had to postpone returning to classes at its Grenfell campus for a week after an incident forced the institution to shut down its technology services to contain it.
- Research centres. Among the cyberattacks against the education sector that have been recorded in Spain, the incident suffered by the Spanish National Research Council (CSIC) in the summer of 2022 stands out due to the importance of the target and its impact. The attack, of Russian origin, paralysed the country’s largest research centre, which took a month to return to normality, causing enormous damage to its reputation and substantial financial losses.
- Vocational training centres. Vocational training is becoming increasingly important in Europe. Moreover, the centres where it is provided are increasingly digitised, as the attack on Basque centres showed. Furthermore, distance vocational training, whose business model relies entirely on the digital channel, has become more widespread in recent years.
2.2. Primary, secondary and non-regulated education
- Academies and training centres. Teleducation has become a very lucrative sub-sector where hundreds of companies operate, offering various courses through virtual classes and digital content.
- Institutes and schools. As evidenced by the UK report mentioned at the beginning of this article, secondary schools and primary schools are not spared from attacks. These entities, both public and private, have a more complex technological infrastructure than may appear at first glance and handle sensitive data on minors.
- School districts. Public schools are organised around school districts in the United States and Canada. As a result, many criminals do not directly attack a single school but target an entire school district. For example, a security incident involving the Clark County (Las Vegas) school district was made public in November. Thanks to a ransomware attack that began with a student displaying his district email account and date of birth on TikTok. As a result, the personal data of 200,000 students was leaked.
3. Most typical types of attacks
What techniques do malicious actors use to perpetrate cyber attacks against the education sector? Essentially, the main typologies that are used when attacking companies and public administrations in other sectors.
3.1. Social engineering
Social engineering campaigns have been at the forefront of the threat landscape against companies, citizens and public administrations for many years. With the advent of technologies such as generative AI, the design of phishing campaigns has become more sophisticated, aiming not to arouse victims’ suspicions and inducing them to provide personal data, make payments, download malware-infected files or access dangerous URLs.
In education, social engineering techniques can access teachers’, researchers’ or students’ computers and steal information, take control of devices and hack into organisations’ networks to achieve criminal objectives.
CEO fraud can also be used against educational institution staff to commit large-scale financial fraud through fraudulent payments. For example, the North Dakota University System nearly suffered a more than $5 million scam in late October 2023. The fraudulent transactions were stopped at the last minute.
Another trend related to using social engineering techniques to carry out cyberattacks against the education sector is the generation of ghost students to access scholarships. In 2023 alone, thousands of ghost students enrolled in California community colleges to obtain Pell grants awarded by the US Department of Education were detected. To create these students, criminals steal the identities of real people.
3.2. Ransomware and other types of malware
As we have seen from some examples we have collected, ransomware attacks are one of the biggest threats facing educational organisations, from schools to universities.
Often, criminals combine social engineering techniques and malware deployment as info-stealers to:
- Gain access to organisations’ systems.
- Scale and persist in them.
- Obtain student, employee or researcher data and strategic information.
- Encrypt and threaten organisations or citizens with leakage if a ransom is not paid.
3.3. DDoS attacks
While targeted denial-of-service attacks are more common against healthcare institutions, including hospitals in some universities, they can also be used to prevent access to the websites and platforms of educational organisations.
Indeed, last year, criminal groups Killnet and AnonymousSudan, which focus on undermining Western companies and administrations, launched a DDoS attack against the websites of Australian airports, hospitals and universities.
But not only groups with experience and resources can launch such attacks. As noted above, the proliferation of DDoS-as-a-Service programmes makes it possible for thousands of malicious actors to launch denial-of-service attacks against the systems of educational institutions. So much so that even students under 12 have been able to bring their schools to a standstill.
At the other extreme of DDoS attacks, the large number of systems that are part of educational networks and the high-speed connections make these systems attractive to cybercriminals, infecting these networks to launch DDoS attacks.
3.4. Supply chain attacks
As is evident, educational organisations do not use software developed solely by them but work with multiple vendors. This opens the door for them to fall victim to supply chain attacks.
Earlier, we mentioned a recent incident at Stanford University, but this institution also suffered a supply chain attack by the notorious Cl0p criminal group. The criminals exploited vulnerabilities in Accellion FTA, a file transfer application used by this organisation, as well as by universities in Colorado, Miami, California or Maryland. This attack enabled the criminals to steal data and extort money from organisations and students.
4. Targets of cyber-attacks against the education sector
Given what we have discussed in this article, we can conclude that the objectives of malicious actors carrying out cyber-attacks against the education sector are:
- To paralyse or hinder the activity of organisations. Many ransomware attacks force organisations to paralyse their systems to prevent expansion. In addition, the hijacking of critical information hampers academic and research activities. In some cases, normality is restored within hours. In others, recovering systems can take a vast amount of money and months of work.
- Hijacking personal data. An organisation that suffers a breach of personal information of its students, employees, donors, suppliers or partners suffers an immediate loss of reputation. In addition, the inability to access this kind of data can paralyse essential activities such as payroll. Malicious actors seek to make business out of organisations’ fear that data will be leaked on the Dark Web. In some cases, they even go so far as to threaten the individuals concerned directly.
- Using or trading information to launch new attacks. The creation of false or synthetic identities using data such as personal identification numbers, such as ID numbers, social security numbers or driving licences facilitates the execution of financial fraud. In addition, in some incidents, such as the summer cyber-attack at the University of Michigan, criminals can access financial information such as bank accounts or card numbers. This data can be exploited directly by malicious actors or traded on the Dark Web.
- Stealing and selling intellectual property. Universities and research centres continuously generate patents, intellectual property and knowledge of enormous value. Selling this kind of information can generate substantial revenue for criminals.
5. Cybersecurity, a strategic issue for educational organisations
What can educational organisations do to strengthen their defensive capabilities in the face of increasing cyber-attacks on the education sector, with severe economic and reputational consequences? Have cybersecurity services provided by teams of highly qualified professionals. What for? To optimise prevention, detection, mitigation, response and recovery activities and to increase defensive teams’ training level.
5.1. From security audits to incident response
- Regular audits of web security, mobile applications, IoT devices and cloud infrastructures to detect any weaknesses that could put the organisation at risk.
- Social engineering tests are customised to the organisation’s characteristics and needs, aiming to train and raise staff awareness and assess their maturity level in the face of this type of threat.
- DoS tests to check the organisation’s resilience to denial of service attacks against its systems.
- Red Team teams perform ransomware simulations to improve the resilience of a university or research centre against these attacks.
- Management of vulnerabilities in applications and technological infrastructure to reduce the cyber-exposure of an organisation and undertake the remediation of the vulnerabilities found.
- Proactive detection of emerging vulnerabilities that may affect the organisation’s digital assets.
- Deploying EDR or XDR technology that provides additional protection to endpoints and servers and proactively hunting them.
- Incident response service to identify, contain and expel malicious actors, as well as to restore normality in the shortest possible time and ensure business continuity. In ransomware attacks, professionals identify the hijacked data and proceed to contain any information leakage.
5.2. Protecting against the cheapening of attacks
All in all, cyber-attacks against the education sector have established themselves over the past few years as one of the most worrying trends in cyber-security.
Although universities and research centres are the most attractive targets for criminals, other smaller and less well-resourced public or private entities, such as schools or academies, are also targeted by malicious actors.
Mainly due to the bundling of attacks through as-a-service programmes, which have made attacks cheaper and more accessible for criminals without the knowledge and resources to execute them.