Weekly Threat Report 8th September 2017

Created:  08 Sep 2017
Updated:  08 Sep 2017
NCSC building with logo
We would like your feedback on the Weekly Threat Report. Please send us your thoughts, suggestions and queries using our 'Contact Us' page.
This report is drawn from recent open source reporting.

Universities under cyber attack

This week, various media outlets have reported on the high number of cyber attacks suffered by UK universities.

Universities are of interest to a range of attackers. Highly skilled hacking groups conduct cyber espionage, seeking to acquire cutting-edge research and intellectual property in areas such as defence, energy, and artificial intelligence. Most academics have detailed web pages describing themselves and their research interests, giving attackers more material to use when crafting a convincing phishing email.

Meanwhile, universities are also subjected to indiscriminate phishing, ransomware and denial-of-service campaigns by cyber criminals. Criminals are also interested in stealing student data, and other personal data held by researchers, which they can abuse for identity fraud. There are some reports of cyber criminals specifically targeting universities.

A number of factors can make university networks particularly challenging to secure. Individual departments often design their systems independently to best suit local research requirements, and ‘bring your own device’ (BYOD) is ubiquitous, restricting the ability of central IT security teams to manage vulnerabilities, especially in the growing number of UK universities with overseas campuses. In addition, universities’ ethos of openness, and the role of networks in providing internet access for personal use as well as work, can make it harder to establish and maintain robust security culture and awareness.

Twitter bots

Security researcher Brian Krebs has drawn attention to a phenomenon whereby commentators seeking to expose social media manipulation and fake news are being targeted – and in an unusual way. Instead of more standard denial-of-service attacks against their websites, something which Krebs has previously experienced, he and other reporters covering this type of story are now finding that they have suddenly attracted suspiciously large numbers of new followers and retweets. This increase in activity results in a danger that their Twitter accounts could be suspended because of mechanisms introduced by the social media channel to clamp down on abuse.

Locky ransomware

There has been widespread media and finance sector reporting of Locky ransomware incidents following large spam runs in August. New variants have been seen in the wild, with campaigns directed at the UK. Locky ransomware uses various forms of social engineering to entice the unsuspecting victim to enable macros on their computer which in turn downloads and executes the ransomware. The victim is then sent payment instructions. There is no free decryption tool and, currently, the ransom is 0.5 Bitcoin (approx. 1,800GBP).

The NCSC has published guidance to help protect organisations against cyber attacks and reminds users to always be mindful of good cyber hygiene. Remember, don’t open attachments if you are unsure who has sent it, and be suspicious of pop-up messages.

We would like to encourage sharing of information so please log in to the Cyber Security Information Sharing Partnership (CiSP) to upload your intelligence regarding Locky, and also to see the latest Indicators of Compromise shared amongst the community.


The Cyber Security Information Sharing Partnership (CiSP) is a great way of learning more about threat information as well as engaging with industry and government counterparts. Follow the link below for more information.

Join CiSP

Was this report helpful?

We need your feedback to improve this content.

Yes No