“Ethical” hackers were able to access high-value data within two hours at every single UK university that they tested for security using spear phishing techniques, according to a report.
The study, published jointly by sector technology body Jisc and the Higher Education Policy Institute, warns that universities’ computer systems are increasingly being attacked by state-sponsored hackers and criminals, and that institutions are struggling to keep up with threats.
It discloses details of two large-scale state-sponsored attacks that occurred in 2018 and targeted universities’ valuable and commercially sensitive research data: one in which Iranian hackers affiliated to a criminal organisation called the Mabna Institute targeted institutions in a campaign dubbed “Silent Librarian”, and another in which “Stolen Pencil”, a North Korean group, targeted individual academics with emails designed to trick them into downloading a malicious extension to the Chrome web browser.
The report, published on 4 April, says that 173 higher education providers engaged with Jisc’s computer security incident response team during 2018, a 12 per cent increase on the previous year.
It raises particular concern about the rise of more sophisticated and better targeted “spear phishing” attacks, in which individuals are contacted with seemingly genuine requests for information using the names of senior members of staff. Even Jisc’s own chief executive and finance department have been targeted, the report says.
Spear phishing was used as part of Jisc’s penetration testing service, which is carried out at the request of universities. Nearly 50 universities have been tested over 18 months. “Alarmingly”, the study says, the ethical hackers had a 100 per cent record of gaining access to a university’s high-value data within two hours, when spear phishing was used as part of the testing process.
They unlocked a wide range of data, including personal information about staff and students, financial records and research data, said John Chapman, head of Jisc’s security operations centre and the author of the report. It would be “disastrous if any of this information fell into the wrong hands”, he told Times Higher Education.
The study adds that more than 1,000 distributed denial of service attacks – which shut off access to data or networks – were launched against 241 different education and research institutions in 2018.
“Analysing the timings of these attacks has led Jisc to surmise that many of them are ‘insider’ attacks launched by disgruntled students or staff,” the report says.
The report says it is clear that UK higher education providers are not properly “equipped with adequate cybersecurity related knowledge, skills and investment”. A lack of dedicated staff and budgets was one reason why cybersecurity was insufficiently robust, and university leaders must “take the lead in managing cyber risk to protect students, staff and valuable research data from the growing threat of attack”, it says.
The report also suggests that the government look at the possibility of minimum cybersecurity and network requirements for the sector.
“Cyberattacks are becoming more sophisticated and prevalent, and universities can’t afford to stand still in the face of this constantly evolving threat,” Dr Chapman said. “While the majority of higher education providers take this problem seriously, we are not confident that all UK universities are equipped with adequate cybersecurity knowledge, skills and investment.
“To avert a potentially disastrous data breach, or network outage, it is critical that all university leaders know what action to take to build robust defences.”