Universities under cyber attack
This week, various media outlets have reported on the high number of cyber attacks suffered by UK universities.
Universities are of interest to a range of attackers. Highly skilled hacking groups conduct cyber espionage, seeking to acquire cutting-edge research and intellectual property in areas such as defence, energy, and artificial intelligence. Most academics have detailed web pages describing themselves and their research interests, giving attackers more material to use when crafting a convincing phishing email.
Meanwhile, universities are also subjected to indiscriminate phishing, ransomware and denial-of-service campaigns by cyber criminals. Criminals are also interested in stealing student data, and other personal data held by researchers, which they can abuse for identity fraud. There are some reports of cyber criminals specifically targeting universities.
A number of factors can make university networks particularly challenging to secure. Individual departments often design their systems independently to best suit local research requirements, and ‘bring your own device’ (BYOD) is ubiquitous, restricting the ability of central IT security teams to manage vulnerabilities, especially in the growing number of UK universities with overseas campuses. In addition, universities’ ethos of openness, and the role of networks in providing internet access for personal use as well as work, can make it harder to establish and maintain robust security culture and awareness.
Security researcher Brian Krebs has drawn attention to a phenomenon whereby commentators seeking to expose social media manipulation and fake news are being targeted – and in an unusual way. Instead of more standard denial-of-service attacks against their websites, something which Krebs has previously experienced, he and other reporters covering this type of story are now finding that they have suddenly attracted suspiciously large numbers of new followers and retweets. This increase in activity results in a danger that their Twitter accounts could be suspended because of mechanisms introduced by the social media channel to clamp down on abuse.
There has been widespread media and finance sector reporting of Locky ransomware incidents following large spam runs in August. New variants have been seen in the wild, with campaigns directed at the UK. Locky ransomware uses various forms of social engineering to entice the unsuspecting victim to enable macros on their computer which in turn downloads and executes the ransomware. The victim is then sent payment instructions. There is no free decryption tool and, currently, the ransom is 0.5 Bitcoin (approx. 1,800GBP).
The NCSC has published guidance to help protect organisations against cyber attacks and reminds users to always be mindful of good cyber hygiene. Remember, don’t open attachments if you are unsure who has sent it, and be suspicious of pop-up messages.
We would like to encourage sharing of information so please log in to the Cyber Security Information Sharing Partnership (CiSP) to upload your intelligence regarding Locky, and also to see the latest Indicators of Compromise shared amongst the community.
The Cyber Security Information Sharing Partnership (CiSP) is a great way of learning more about threat information as well as engaging with industry and government counterparts. Follow the link below for more information.