ÁñÁ«ÊÓƵ

Hackers breach UK university defences ¡®within two hours¡¯

<ÁñÁ«ÊÓƵ class="standfirst">Report discloses attack by North Korean and Iranian-sponsored criminals on UK higher education institutions
April 4, 2019
Boy hunting underwater
Source: Alamy

¡°Ethical¡± hackers were able to access high-value data within two hours at every single UK university that they tested for security using spear phishing techniques, according to a report.

The , published jointly by sector technology body Jisc and the Higher Education Policy Institute, warns that universities¡¯ computer systems are increasingly being attacked by state-sponsored hackers and criminals, and that institutions are struggling to keep up with threats.

It discloses details of two large-scale state-sponsored attacks that occurred in 2018 and targeted universities¡¯ valuable and commercially sensitive research data: one in which Iranian hackers affiliated to a criminal organisation called the Mabna Institute targeted institutions in a campaign dubbed ¡°Silent Librarian¡±, and another in which ¡°Stolen Pencil¡±, a North Korean group, targeted individual academics with emails designed to trick them into downloading a malicious extension to the Chrome web browser.

The report, published on 4 April, says that 173 higher education providers engaged with Jisc¡¯s computer security incident response team during 2018, a 12?per cent increase on the previous year.

ÁñÁ«ÊÓƵ

ADVERTISEMENT

It raises particular concern about the rise of more sophisticated and better targeted ¡°spear phishing¡± attacks, in which individuals are contacted with seemingly genuine requests for information using the names of senior members of staff. Even Jisc¡¯s own chief executive and finance department have been targeted, the report says.

Spear phishing was used as part of Jisc¡¯s penetration testing service, which is carried out at the request of universities. Nearly 50 universities have been tested over 18 months. ¡°Alarmingly¡±, the study says, the ethical hackers had a 100?per cent record of gaining access to a university¡¯s high-value data within two hours, when spear phishing was used as part of the testing process.

ÁñÁ«ÊÓƵ

ADVERTISEMENT

They unlocked a wide range of data, including personal information about staff and students, financial records and research data, said John Chapman, head of Jisc¡¯s security operations centre and the author of the report. It would be ¡°disastrous if any of this information fell into the wrong hands¡±, he told Times Higher Education.

The study adds that more than 1,000 distributed denial of service attacks ¨C which shut off access to data or networks ¨C were launched against 241 different education and research institutions in 2018.

¡°Analysing the timings of these attacks has led Jisc to surmise that many of them are ¡®insider¡¯ attacks launched by disgruntled students or staff,¡± the report says.

The report says it is clear that UK higher education providers are not properly ¡°equipped with adequate cybersecurity related knowledge, skills and investment¡±. A lack of dedicated staff and budgets was one reason why cybersecurity was insufficiently robust, and university leaders must ¡°take the lead in managing cyber risk to protect students, staff and valuable research data from the growing threat of attack¡±, it says.

ÁñÁ«ÊÓƵ

ADVERTISEMENT

The report also suggests that the government look at the possibility of minimum cybersecurity and network requirements for the sector.

¡°Cyberattacks are becoming more sophisticated and prevalent, and universities can¡¯t afford to stand still in the face of this constantly evolving threat,¡± Dr Chapman said. ¡°While the majority of higher education providers take this problem seriously, we are not confident that all UK universities are equipped with adequate cybersecurity knowledge, skills and investment.

¡°To avert a potentially disastrous data breach, or network outage, it is critical that all university leaders know what action to take to build robust defences.¡±

anna.mckie@timeshighereducation.com

Register to continue

Why register?

  • Registration is free and only takes a moment
  • Once registered, you can read 3 articles a month
  • Sign up for our newsletter
Register
Please Login or Register to read this article.
<ÁñÁ«ÊÓƵ class="pane-title"> Related articles
<ÁñÁ«ÊÓƵ class="pane-title"> Sponsored
<ÁñÁ«ÊÓƵ class="pane-title"> Featured jobs
ADVERTISEMENT