The UK’s NCSC has recently warned that hackers and state sponsored cyber actors have stepped up their attacks against the world’s leading universities. UK universities are a popular target for these cyber actors because of their expertise and the research funds they receive. The prize these cyber actors seek to access is intellectual property and unpublished research. This research is the most valuable where it relates to cutting-edge research, or collaboration between academia and industry. To illustrate the state sponsored nature of these attacks, The Cobalt Dickens group operating out of Iran have been charged by the US Justice Department with targeting 140 universities located in 14 countries, including the United Kingdom. The indictment alleges that nine Iranians stole more than 31 terabytes of documents and data, on behalf of the Iranian Government. Universities not only have valuable data, but the university environment plays into the hands of the cybercriminal as a reduced risk target. For a start, each year brings new students and lecturers, who have newly created access to parts the universities email system. Secondly, academia, is founded on the principals of openness and the swopping of ideas. This culture of learning and exchanging ideas is exactly the environment for sophisticated cyber-attacks based on spear phishing to be successful.
Phishing when referring to emails is the umbrella term for a common tactic used to attempt to gain access to this intellectual property and unpublished research. But this conjures up images of emails from Nigerian Princes (aka 419 scams) and randomly targeted Netflix, PayPal, and Amazon spoof emails. Not very convincing unless the email happens by chance to randomly line up with your life, and its does catch about 1-2% people out this way.
But the attacks we are talking about against universities, come in a much more targeted form called spear phishing. These emails have been crafted after extensive research has been done on the targeted individual or their support staff. The phishers would have learnt names, organisational structure, and even workplace culture including common acronyms.
Having done the research, the cyber actors set up web pages hosted on low cost shared hosting services to imitate the target’s login portal. The actor then sends these spear phishing emails, with a plausible story with links to phishing landing pages where the users may be deceived into clicking into the emails embedded links and entering their usernames and passwords on the fake login page created by the cyber actors. After capturing the credentials, these landing pages then redirect the user back to the legitimate login page, so there is no indication of unusual activity and the user may believe they mistyped their password.
The state sponsored actor will use security certificates to make the phishing pages appear more legitimate in the web browser. By using low cost top-level domains, it is easy for the state actor to setup a new subdomain when a malicious subdomain is blocked by the target organisation’s system. This allows them to continue their campaign for longer and evade any mitigation activity attempted by the university. Once the credentials have been captured and the victim is unaware of the compromise the attacker can start to work through the university networks, introducing zero- day malware, to search out and exfiltrate sensitive data out of a University. A network intrusion at this level, is a stealthy affair, aiming to remain undetected for many months, with multiple back doors to gain access to the system if the original breach is discovered.
For the universities they have multiple avenues to explore to discover what is being used against them. Universities should know which subdomains they have that the actors may try to spoof during their phishing attempts and system administrators would recognise any false positive legitimate top-level domains that do not end in .ac.uk
There are publicly available resources that can be used to monitor for new top-level domains that are masquerading with spoofed university subdomains. Cyber training is another avenue which should be considered for staff and students. However, for universities the logistics of setting up cyber training for faculty staff and students would be immense.
At Egress, we believe that intercepting the threat as high up the kill chain as possible is the most effective way to prevent these cyber beaches. The email attack vector is the number one cause of cyber breaches but when Egress Defend is deployed, it will alert and stop these spear phishing emails that bypass traditional systems. This not only prevents a user doing the wrong thing which causes an initial breach, but it gives system admins the real time intelligence to know that an active phishing campaign is taking place against them. This extra warning time allows cyber mitigation plans to be enacted and key personnel to be warned. This in turn shows regulators that’s rules, systems, and cyber education is available for staff.