Talion Hub Insider Insight: Trending Cyber Threat Activity In Higher Education

Insider Insight: Trending Cyber Threat Activity In Higher Education

The global average cost of a cyber-attack against a Higher Education institution in downtime alone is estimated at an average of £3.1 million. Cybercriminals are aware of the extremely valuable information your institutions hold, such as Personal Identifiable Information (PII), and how this translates to revenue for them.

Last year, at least 58 educational institutes publicly reported a cyber-attack.

Unfortunately, we know this number to be drastically higher.

Espionage, Hacktivism, and intellectual property all make the Higher Education sector an extremely rewarding target for an adversary, making the sector one of the most targeted sectors when compared to all other sectors.

Talion’s Threat Intelligence Team therefore researches the Tactics, Techniques and Procedures (TTP’s) of these threat actors day in and day out, with key insights into the unique challenges of the Higher Education sector, to ensure you are aware of these growing risks before they occur and can take swift relevant action.

Download a full copy of Talion’s last Cyber Threat Analysis Report here.

5 Notable Events & Statistics From Our Threat Intelligence Team:

(that emerged across the Higher Education cyber landscape during the last quarter)

  • An Australian University was compromised by Royal ransomware - a strain known to make demands as high as $60 million
  • Xavier University students and employee’s data was leaked by Vice Society, after university officials refused to meet their demands
  • Vice Society has carried out more than 100 cyber-attacks around the world since it surfaced in mid-2021 - around 40 of those attacks have targeted the education sector
  • A college hit in September 2022, that failed to notify individuals whose personal information had be stolen until December 2022, has been hit with a $5 million class action lawsuit
  • More than a thousand detections of info stealers were reported between November and December across Higher Education institutes, leading the Ministry of Higher Education and Research to activate the Cyber Crisis Operational Cell, the National Agency for the Security Of Information and CERT-Renater

Top Active Threat Group This Quarter:


Affiliation: China

Active Since: 2012

Motives: Espionage

Mustang Panda, one of the more active APT groups across the threat landscape, has been associated with a number of large-scale campaigns that date as far back as 2012. The group consistently piggy-back on themed lures related to world events, which deploy the groups decoy documents.

Mustang Panda has recently utilised the Russia/Ukraine conflict as a guise to target the education sector in Europe. In this campaign, the groups attack chain has remained consistent, with the continued use of archive files, shortcut files, malicious loaders, and the use of PlugX malware. The groups also continue to target sensitive information that aligns with the Chinese government.

One interesting lure utilised by the group during this campaign, is a RAR file titled “Political Guidance for the new EU approach towards Russia.rar”. Once this archive is open, the victim will see a directory called “_” and a shortcut file named with the same politically themed lure.

The .LNK file uses a double file extension in an attempt to disguise the shortcut file as a document, in the hope the target would open it, executing the shortcut file. This use of double extensions has been utilised by Mustang Panda previously, to convince the target to execute the shortcut file.

The Mustang Panda attack chain is reliant on a DLL sideloading technique utilised in their previous campaigns. The threat actor plants both a legitimate executable and a payload alongside each other, a technique which is designed to take advantage of the search order of a program as soon as the legitimate application has been invoked.

Once the shortcut file is executed, the legitimate application will be launched, and the malicious DLL loader will also be invoked. In this campaign, the DLL loader uses the EnumSystemCodePagesW API to execute the shellcode within it. The purpose of the shellcode is to decrypt and execute the final malicious payload – PlugX – in memory.

2 Key Cybercriminal Tactics Used This Quarter:

  • Callback Phishing – the tactic returns.

Callback phishing is a social engineering attack that requires a threat actor to interact with the target to accomplish their objectives. The attack style is resource intensive but tends to have a high success rate.

The initial lure is usually a phishing email indicating the recipient’s credit card has been charged for a service. A PDF invoice is attached to the email which includes the phone number the recipient will need to call to rectify the issue. When the recipient calls the number listed in the attached PDF, they are routed to a threat actor-controlled call centre and connected to a live agent.

Under the guise of cancelling the subscription, the threat actor agent guides the caller through downloading and running a remote support tool to allow the attacker to manage the victim’s computer. The attacker then installs a remote administration tool to achieve persistence.

Discover more about the latest phishing techniques and the benefit of MPDR for managing alerts with Talion’s Ultimate Phishing Guide.

  • Raspberry Robin Update - the QNAP worm upgrades its capabilities.

 Many groups are now utilising Raspberry Robin to gain a foothold into target networks, including Evil Corp and Clop. The infection vector is predominantly delivered via a USB containing a malicious .LNK or .ZIP file. This file once clicked loads malicious code directing a .exe, which has the ability to download and execute an MSI installer from a command and control (C2) domain.

The primary objective of this download is to fetch additional executables and payloads, but in upgraded instances it is also able to profile its victim, enabling the attacker to deliver the appropriate payloads required. This involves collecting the host's UUID, processor name, attached display devices, and the number of minutes that have elapsed since system startup, along with the hostname and username information, data that is returned to an attacker controlled C2 server.

Talion’s Cyber Threat Analysis Report continues to offer unique insight into trending threat actor techniques, including specific examples of Higher Education cyber attacks and actionable mitigation recommendations.

To discover more, download your full Cyber Threat Analysis report here (updated quarterly).

Brought to you by