Skip to content
The UK's only independent think tank devoted to higher education.

Cyber threat actors are targeting UK universities. Are security teams prepared?

  • 14 June 2024
  • By Zeki Turedi
  • This HEPI blog was kindly authored by Zeki Turedi, Chief Technology Officer for Europe, the Middle East and Africa at CrowdStrike.

UK universities have been a consistent target of choice by cyber-attackers in recent years. They are a particularly vulnerable institution due to the large number of students and staff dispersed across campuses, making it difficult for small IT teams to track the thousands of endpoints that each have pathways into the institution’s IT systems.

The top threat actors targeting the academic sector through intrusion activity – any activity designed to compromise data security – have been reported to be hacktivists, China-nexus adversaries, and eCrime actors. According to the same research from CrowdStrike, along with technology and telecommunications, academia is one of the most targeted sectors for Linux-based interactive intrusion activity. And it’s not just across the UK, the threat has worsened in America, with China-nexus adversaries using zero-day exploits to compromise entities in the academic sectors.

Demystifying the adversary

To stop these adversaries, security teams at educational institutions must understand how they operate.

Adversaries are breaking in and out of environments faster than ever. The average eCrime breakout time has dropped to 79 minutes, with the fastest recorded time being just seven minutes. Furthermore, eCrime threat actors are also finding more efficient ways to break in. Among them is the misuse of legitimate remote monitoring and management tools with a 312% increase since 2022.

VICE SPIDER, is one eCrime adversary that has been recorded to use hands-on-keyboard activity against organisations in the academic sector. Compromises are associated with multiple hosts across virtual desktop infrastructure (VDI) with the threat actor performing basic host reconnaissance to enumerate domain trusts using nltest, then enumerating administrator permissions groups and performing connectivity tests to outbound infrastructure.

Threat actors are also becoming cloud experts, knowing as much as or more about cloud environments than organisations do. As security teams adopt more cloud-based technologies, adversaries are becoming more adept at exploiting misconfigurations and abusing cloud management tools. In fact, adversaries are exploiting the cloud more than ever. There’s been a 95% rise in cloud attacks and a 160% increase in credential theft via cloud instance metadata APIs.

The University of Westminster

Established in 1838, the university now enrolls over 19,000 students from 169 nations, offering many of them placements with almost 200 organisations throughout the UK, and employing more than 2,000 people.

In 2021, the university faced a cyber threat landscape that was changing dramatically during the COVID-19 pandemic, including the following serious security challenges: high risk of reputation-damaging ransomware attacks, lack of 24/7 threat detection and response, a reactive security posture caused by capacity constraints, and no unified visibility across different operating systems.

Because of the prohibitive cost of implementing an in-house security operations center (SOC) and the additional staffing burden a 24/7 security operation entails, the university’s security leaders found the managed detection and response (MDR) service model to be appealing — and resilient enough to meet the university’s existing and future cybersecurity needs.

The University of Sunderland

Worryingly, in the same year, The University of Sunderland fell prey to a cybersecurity breach. External security teams determined an individual’s login credentials had been compromised, allowing the attacker to gain access to a specialist learning environment and then move laterally to other systems. The endpoint solution from a native OS security vendor in place during the attack failed to stop the breach. This is an all-too-common occurrence.

The incident demonstrated that adversaries were leveraging identity-based attacks to bypass legacy security solutions. Increasingly, these adversaries are using the endpoint as a perch to pivot to cloud infrastructure. By unifying endpoint, identity and cloud protection through a single platform, the university now has managed protection across all steps of an adversary’s attack path.

Sam Seldon, Data Protection Officer at the University of Sunderland, said: “We have a duty to protect not just our infrastructure but our people as well. Our senior leaders are on social media and websites where adversaries are actively hunting for their information. For these executives, a compromise in life could lead to a compromise at work.”

Are security teams prepared?

The questions universities need to ask their teams and security partners are, “Have we become faster at identifying, investigating, and remediating today’s threats? Can we detect an adversary in seven minutes or even seven hours? Have we identified new potential vulnerabilities given the adversary landscape has changed? Are we sharing our knowledge with the ecosystem to ensure other educational institutions don’t fall victim?”

A comprehensive cybersecurity strategy is absolutely essential in today’s connected world, especially for organisations that have as many endpoints as education institutions. Securing your organisation’s digital assets has the obvious benefit of a reduced risk of loss, theft or destruction, as well as the potential need to pay a ransom to regain control of company data or systems. Inaction could lead to a catastrophic breach, where reputational damage would be as concerning as the loss of sensitive data.

Leave a Reply

Your email address will not be published. Required fields are marked *