- This guest blog has been kindly written for HEPI by Stuart Wiggins, who is Strategic Threat Advisor Europe for CrowdStrike, a leading firm in cybersecurity intelligence and services
The academic sector faces a variety of security risks, ranging from physical threats to cyber adversaries targeting student data and personally identifiable information. It continues to be one of the most highly targeted sectors from a cybersecurity perspective. In 2022, CrowdStrike, a global leader in cyber threat intelligence, observed the sector facing a number of targeted threats – such as ransomware and activities exploiting IT user identities – which caused a number of institutions significant disruption including mission critical systems being taken offline and cases where attackers used stolen user credentials (eg user names & passwords) to log into an institution’s systems to steal data with intent to monetise.
CrowdStrike categorises adversaries into three main groups: nation state actors; eCrime; and Hacktivists. In the education community, CrowdStrike has seen substantial eCrime activity as well as nation state operations, including those associated with China, the Democratic People’s Republic of Korea (DPRK) and Russia. Nation state actors tend to have geopolitical or financial motives and their methods involve disruption or espionage whereas eCrime actors are motivated by financial gain and tend to conduct data theft, extortion or fraud to achieve their mission.
Academia is of particular interest to nation state adversaries seeking to acquire non-public information, such as scientific research, to support espionage operations. For example, during 2022, CrowdStrike observed China-nexus adversaries using zero-day exploits to compromise entities in the academic sector. A full break down of the adversaries targeting the sector can be found on the CrowdStrike Global Threat Landscape pages.
However, it is eCrime adversaries that pose the most disruptive threat to the academic sector. During 2022, CrowdStrike observed almost 300 advertisements offering unauthorised access to academic institutions’ systems by groups known as access brokers – this was the highest of any industry vertical. As the name suggests, access brokers are cyber-threat actors who obtain access to an organisation’s IT systems and then sell this login information to other threat actors, including ransomware operators, to exploit. The popularity of their services increased in 2022, with more than 2,500 advertisements for systems access identified – a 112% increase compared to 2021.
Several brokers advertised accesses in bulk during 2022, while others continued to use the ‘one-access, one-auction’ technique. Methods used by access brokers remained relatively consistent this past year. A particularly popular tactic involves leveraging compromised credentials to gain access to an institution’s environment. These credentials are frequently acquired via information stealers or purchased in ‘log shops’ within the criminal underground.
The proliferation of compromised user credentials for sale from the academic sector helps to facilitate a wide range of eCrime activity, which is all largely financially motivated. It doesn’t take a particularly experienced threat actor to use the keys that are provided to them to essentially “’walk through the front door’. The simple fact is that, with those keys in hand, the bar to conduct a disruptive attack is much lower.
Adversaries continue to modify their techniques to maximise their ability to extort money from victims. In 2022, CrowdStrike intelligence observed a 20% increase in the number of adversaries conducting data theft and extortion campaigns without deploying ransomware. This ‘double extortion’ model, whereby the threat of a data leak is a compelling reason to pay the ransom is becoming increasingly popular.
Given the high financial costs, disruption of business operations and reputational damage that ransomware attacks can pose is something that the sector needs to address as a priority.
Over recent years, including 2022, CrowdStrike has continued to see an increase in the number of attacks that legacy technology solutions have failed to protect against. These attacks tend to be more difficult to detect, especially when they don’t contain malware or any file that would be more easily identified as fraudulent.
As educational institutions move forward through 2023 and beyond, CrowdStrike recommends prioritising activities that will protect communities of students, faculty and staff. We recommend creating a culture in which the importance of cybersecurity is highlighted and prioritised and where appropriate investment is made in replacing legacy technology with advanced, modern systems that can provide protection to match the same high speed at which attackers are moving in today’s environment. As evidenced by the chart below, it’s important to respond to all adversary activity within an hour to ensure your organization stays one step ahead.
Academic organisations should prioritise five key areas to help ensure they are prepared.
Gaining full visibility into technology infrastructure, prioritising identity protection and securing investments made in cloud infrastructure are the first three. Alongside, understanding the specific adversaries who are likely to target the academic sector through the use of tools such as threat intelligence and dark web monitoring, will allow institutions to take a more proactive approach to managing cyber risk. Lastly, practising how the organisation will respond in the wake of a cyber incident is incredibly valuable. This way, everyone in the organisation knows what to do – or who to call – when the need arises.
For further details of today’s cyber threat landscape, check out the CrowdStrike Adversary Universe (https://www.crowdstrike.com/adversaries/) to identify and learn more about the threat actors most likely to target your organisation.
Additionally, you can read first-hand observations from CrowdStrike’s frontline cyber responders and analysts in the 2023 CrowdStrike Global Threat report (https://www.crowdstrike.com/global-threat-report/).
Or to have a discussion on how CrowdStrike specifically works with modern attack prevention please contact Darryl Richardson who is aligned to supporting the UK Education Sector – [email protected].