Cybercrime , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime
Schools Face Spike in Cyberattacks From Nation-State Hackers
Microsoft Says North Korea and Iran Adopting New Tactics Against Education SectorSchools and universities across the United States are the target of sophisticated malware and phishing attacks from mounting threats ranging from cybercriminals chasing data to nation states including Iran and North Korea.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
Threat actors have adopted new tactics such as creating fake companies to establish business relationships with educational institutions in order to access sensitive, regulated information - such as health records and financial data - maintained by K-12 and higher education organizations. With the school year well underway, Microsoft's threat intelligence division this month identified the education sector as the third-most targeted industry.
U.S. school systems are "on the front lines confronting how adversaries test their tools and their techniques," Microsoft said. According to the report, cyberthreats targeting the education sector are a growing concern not only in the United States but also in countries like the United Kingdom, where nearly 43% of higher education institutions report weekly breaches or cyberattacks.
The U.K.'s National Cyber Security Center announced on Tuesday that it would provide protective domain name system services for schools across the country as part of an effort to combat the growing threat of ransomware attacks.
Sarah Lyons, NCSC deputy director for economy and society, said in a statement the "PDNS for schools" plan "is part of a wider cybersecurity offer of guidance" and "complements - but does not replace - the safeguarding filtering measures that schools should already have in place" to prevent malware, ransomware and phishing attacks.
Experts warn that K-12 school districts are becoming prime targets for cyberattacks due to the vast amounts of data they store on students - data that can be weaponized for identity theft, fraud, or sold on the dark web, posing long-term risks to children's personal and financial security.
Gaining access to a school's records is like hitting the jackpot for attackers, according to Tom Ashley, education strategist for the information technology solutions firm CDW. Schools are more likely to pay ransoms to protect themselves and prevent further disruption, Ashley said.
"We do have valuable data, but unfortunately we also have probably the weakest cybersecurity protections of any industry," Ashley said Tuesday during a CDW panel on optimizing K-12 security, adding: "Our student's information is so valuable because it's pristine, clean data."
The Cybersecurity and Infrastructure Security Agency warned in September that schools are increasingly vulnerable to cyberattacks as well as physical security risks while facing "a scourge of anonymous threats of violence" (see: US CISA Releases Toolkit for Anonymous School Threats). The nation's cyberdefense agency recommended schools develop multidisciplinary threat assessment teams, establish adequate response protocols and implement training exercises for school faculty and staff.
Universities in the Crosshairs
Universities face an average of 2,507 cyberattack attempts per week, according to Microsoft, which said its own email security program has blocked over 15,000 emails per day targeting the education sector with malicious QR codes. The sector's vulnerabilities have been exacerbated in recent years by the rise in virtual and remote learning, which created new opportunities for threat actors to exploit security gaps, compromise sensitive information and launch targeted cyberattacks against educational institutions.
Microsoft said that email systems "offer wide spaces for compromise" for universities, which usually share a lot of announcements via email and generate a significant amount of noise in the system that creates a "fertile ground for cyberattacks." According to the report, unprotected artificial intelligence tools and systems on university campuses also create new entry points for cybercriminals into a school's infrastructure.
Financial institutions or other sectors may initially appear to be more attractive targets for cyberthreat actors, but threat actors find universities worthwhile targets for the intellectual property they nurture and potentially sensitive research data. Universities handle federally funded research and can work closely with the defense industry, meaning academic institutions are "epicenters of highly sensitive intellectual property," Microsoft said. It's often easier for threat actors "to first compromise somebody in the education sector who has ties to the defense sector" than targeting the higher value victim directly.
Microsoft has observed Iranian threat actors including Peach Sandstorm and Mint Sandstorm using password spray attacks against the education sector and sophisticated phishing attacks to breach the education sector and university networks.
Microsoft reported last year that Iranian hackers have gained sophistication following a Peach Sandstorm campaign of password spraying attacks targeting thousands of victims. A federal advisory published in August said Iranian government threat actors are responsible for ransomware attacks and cyberespionage campaigns against the public and private sectors in the U.S., including schools, financial institutions and healthcare facilities (see: Iranian Hackers Target US in Ransomware and Espionage Attacks).
Microsoft urged the education sector to maintain and scale core cyber hygiene practices through increased awareness and training. The company also recommended schools consider implementing free protective domain name services which help prevent ransomware and other cyberattacks.