Hackers broke into university networks in just two hours

Penetration testers testing university networks were able to use phishing emails to gain administrator access and access personal data, financial information and confidential research.
Written by Danny Palmer, Senior Writer

Ethical hackers testing the security of university networks found they were able to breach networks and access high-value data in under two hours in every single penetration test they performed.

Almost 50 universities across the UK were a part of the test and ethical hackers working on behalf of The Higher Education Policy Institute (HEPI) and Jisc, a not-for-profit digital support service for higher education, were able to successfully use spear-phishing attacks to gain access to sensitive information.

In some cases, it was possible in under an hour; in others, universities were compromised across multiple campuses.

Penetration testers were able to gain complete access to system information by acquiring domain-level administrator access to control systems. That enabled access to personal information about students and staff, information about financial records, and even the ability to hack into databases and networks containing sensitive research data.

A common tactic in spear-phishing attacks targeting universities is for cyber criminals to spoof an email to look as if it comes from a senior member of staff and send it to people they're known to work closely with. These messages will send victims to websites that attempt to steal credentials, or contain attachments which will drop malware.

The public-facing nature of universities often means it's easy for cyber criminals to conduct reconnaissance on the departments they're targeting, as staff will be listed on the university website.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

The findings have been laid out in a research paper and it comes following a series of high-profile hacking campaigns targeting universities over the course of the last year.

A North Korean advanced persistent threat group targeted individual academics with spear-phishing emails designed to trick them into downloading a malicious Google Chrome extension, while last summer an Iranian hacking operation was detected targeting universities around the world in an effort to steal intellectual property.

"Cyberattacks are becoming more sophisticated and prevalent and universities can't afford to stand still in the face of this constantly evolving threat," said Dr John Chapman, head of Jisc's security operations centre and the author of the report.

"While the majority of higher education providers take this problem seriously, we are not confident that all UK universities are equipped with adequate cyber-security knowledge, skills and investment. To avert a potentially disastrous data breach, or network outage, it is critical that all university leaders know what action to take to build robust defences."

The report lists a number of things universities should do in order to help protect their networks from attacks. They include knowing where data is stored and who has access to it, and ensuring systems and software are patched and up to date to prevent attackers exploiting known vulnerabilities.

It's also recommended that staff and students are trained in security awareness to help them spot phishing emails and provide information on how to report suspicious incidents or suspected attacks.

Jisc also recommends that universities should be performing regular vulnerability scans and that an incident response plan should be in place, should the worst happen.

"Universities are absolutely reliant on connectivity to conduct almost all their functions, from administration and finance to teaching and research. These activities accrue huge amounts of data; this places a burden of responsibility on institutions, which must ensure the safety of online systems and the data held within them," said Professor David Maguire, chair of Jisc and vice-chancellor of the University of Greenwich.

"Developing strong cybersecurity policies is vital, not only to protect data, but also to preserve the reputation of our university sector," he added.


Editorial standards