Why UK Universities are spear phishing targets for state actors

Egress | 3rd Jun 2021

The UK’s NCSC (National Cyber Security Centre) has recently warned that hackers and state sponsored cyber actors have stepped up their attacks against the world’s leading universities. UK universities are a popular target for these cybercriminals because of their expertise and the research funds they receive.

Why are universities targets for state actors?

To illustrate the state sponsored nature of these attacks, The Cobalt Dickens group operating out of Iran have been charged by the US Justice Department with targeting 140 universities located in 14 countries, including the United Kingdom. The indictment alleges that nine Iranians stole more than 31 terabytes of documents and data, on behalf of the Iranian Government.

The prize these cybercriminals seek to access is intellectual property and unpublished research. Cutting-edge research is highly valuable data to steal, especially when it involves collaboration between academia and industry. The university environment itself also plays into the hands of the cybercriminal as a target.

Academia is founded on the principals of openness and the swapping of ideas and each year brings in thousands of new students and lecturers, who all have newly created access to their university’s email system. This culture of learning and exchanging ideas is a good environment for sophisticated cyber-attacks such as spear phishing.

How do spear phishing attacks work?

Spear phishing is a targeted, more sophisticated form of phishing, and this is the form being increasingly deployed against universities. These emails have been crafted after extensive research has been carried out on the targeted individual or their support staff. The scammers use readily available online resources to learn names, organisational structures, and even aspects of workplace culture such as common acronyms.

Having done the research, the cybercriminals set up web pages hosted on low-cost shared hosting services to imitate the target’s login portal. The actor then sends the spear phishing emails with links to these fake landing pages. They’ll create a plausible story that encourages the recipient to click through and enter their usernames and passwords.

After capturing the credentials, these landing pages then redirect the user back to the legitimate login page, so there is no indication of unusual activity and the user may believe they mistyped their password. With the login credentials farmed, the cybercriminals can log in at will and exfiltrate any data they have access to.

The victim is unaware of the compromise and the attacker can start to work through the university networks, introducing zero-day malware, to search out and exfiltrate sensitive data out of the university system. A network intrusion at this level is a stealthy affair, aiming to remain undetected for many months, with multiple back doors to gain access to the system if the original breach is discovered.

How can universities defend themselves?

The state-sponsored cybercriminals use security certificates to make their spoofed login pages appear more legitimate in the web browser. By using low-cost top-level domains, it’s easy for them to setup a new subdomain every time a malicious subdomain is blocked by the target organisation’s system. This allows them to continue their campaigns for longer and evade any mitigation activity attempted by the university.

For the universities, they do have avenues to explore and discover what is being used against them. Universities should know which subdomains they have that the actors may try to spoof during their phishing attempts, helping system administrators to recognise any spoofed domains that do not end in ‘.ac.uk.

There are publicly available resources that can be used to monitor for new top-level domains that are masquerading with spoofed university subdomains. Cyber training is another avenue which should be considered for staff and students. However, for universities the logistics of setting up cyber training for faculty staff and students would be immense.

The Egress approach

At Egress, we believe that intercepting the threat as high up the kill chain as possible is the most effective way to prevent these cyber breaches. The email attack vector is the number one cause of cyber breaches. By deploying intelligent anti-phishing software such as Egress Defend, anyone using university email will be alerted to spear phishing emails that can easily bypass traditional systems.

This not only prevents a user doing the wrong thing which causes an initial breach, but it gives system admins the real time intelligence to know that an active phishing campaign is taking place against them. This extra warning time allows cyber mitigation plans to be enacted and key personnel to be warned. This in turn shows regulators that rules, systems, and cyber education is available for staff.

Learn more about Egress Defend here. Or if you’d like to know more about the dangers of phishing, you can explore our dedicated information hub.