The National Cyber Security Centre today warned that the activities of nation-state hackers could cause long-term damage to UK universities as persistent cyber attacks weaken the UK’s knowledge advantage, damage the value of research, and result in a fall in investment by public or private sector.
In March last year, NCSC issued an advisory to UK universities, warning about the presence of dedicated hackers in the Mabna Institute based in Iran who were specifically targeting universities primarily for the purpose of intellectual property theft.
“The UK Government judges that the Mabna Institute based in Iran was responsible for a hacking campaign targeting universities around the world. By stealing intellectual property from universities, these hackers attempted to make money and gain technological advantage at our expense," said Lord Tariq Ahmad, the Foreign Office Minister for Cyber.
NCSC's statement came after nine employees at the Iranian institute were indicted in the United States for carrying out a global hacking campaign targeting TV company HBO.
A Freedom of Information request by The Times had also revealed that in 2016-17 alone, UK universities were targeted by as many as 1,152 phishing, DDoS, and ransomware attacks. Most of the attackers were interested in getting their hands on valuable research material, including those on novel fuels, efficient batteries and intellectual property that carry great value in the market.
State-sponsored attacks will gradually diminish the value of UK universities
In its latest advisory published this morning, the National Cyber Security Centre has warned UK universities that "state espionage will continue to pose the most significant threat to the long-term health of both universities and the UK itself", adding that there is a realistic possibility that "the threat will increase in-line with increased scrutiny of foreign direct investment and the minimising of other avenues to gain insight and advantage."
The cyber security watchdog noted that state-sponsored hackers target universities in the UK primarily to gain access to email accounts of faculties and other staff, to gain access to bulk personal information on staff and students, and to gain access to technical resources, sensitive research, and intellectual property.
Nation-state hackers are usually given the task of gaining access to and stealing advanced intellectual property research carried out by UK universities as gaining access to such research will allow their sponsor nations to advance their equivalent research efforts, military or security apparatus.
If universities lose their intellectual property and advanced research work to hackers on a regular basis, it will damage the value of their impacted research and intellectual property and as a result, diminish their attractiveness, relevance and value over a period of time.
In order to gain access to login credentials of university staffers, hackers are employing various methods such as creating fake websites and login pages to lure staffers into typing in their credentials, sending phishing emails to university staffers to trick them into sharing research material or credentials, and deploying sophisticated malware to gain access to digital systems used by UK universities to store and share their research work.
"While the methods employed by cyber criminals are constantly evolving, we assess that spear-phishing and social engineering are highly likely to remain the main attack vectors. Ransomware is likely to be the greatest single cause of disruption to staff, students and the universities themselves.
"Many of these acts are likely to incur additional damage to any university affected, whether reputationally or through fines levied under data protection legislation," NCSC said.
Strong access controls, educating staff & redesigning computer networks a must for universities
It added that in order to protect their intellectual property from falling into the hands of hackers, universities must inculcate good security awareness among staff and students as such education will enable them to detect phishing attacks.
At the same time, universities must implement security-conscious policies, strict access controls, and should partition high-value research to make it more difficult for attackers to find and steal sensitive data and information.
NCSC added that UK universities should also establish good security without impacting the ease with which information can be shared, or the diversity of what information can be accessed and should design their computer networks accordingly.
"Many university networks contain a collection of smaller, private networks, providing close-knit services for faculties, laboratories and other functions. The freedom this offers is balanced by the challenge it presents to protecting the data and information within.
"When maintained with minimal central oversight or adherence to security policy, private networks are likely more vulnerable to persistent infection or unauthorised access. However, this same segregation offers an opportunity to separate high-value or sensitive data and information, and apply a higher level of protection, without impacting the openness of the wider network," it added.
"The recommendations from the National Cyber Security Centre are spot on, but some universities will struggle to change outdated systems, gain control of digital files that are everywhere and open to everyone, and update information access to a least-privilege model," says Matt Lock, Technical Director at Varonis.
"Funding is one factor, but so is managing data in a collaborative academic environment in which information must be shared, turnover is steady, and attackers have countless tools and tricks up their sleeves to compromise systems. Attackers will continue to win until UK universities make data protection a priority," he adds.