Higher educational institutions across the UK and Europe have been the target of an increasing number of cyber attacks in recent months. It’s unclear why universities and grant agencies have been targeted or whether the perpetrators have any motivation beyond financial gain. 

The UK’s National Cyber Security Centre (NCSC) has warned that there has been a rise in attacks on computer networks at UK educational institutions since late February. ‘There’s definitely some kind of ongoing campaign against educational and research establishments,’ says Alan Woodward, a computer scientist at the University of Surrey. ‘Nobody quite knows why.’

Woodward notes that there’s been a particular rise in ransomware attacks, which he suspects is probably conducted by multiple different gangs and is purely motivated by money rather than espionage. But states like North Korea are known to partake in ransomware attacks to generate hard currency and circumvent sanctions, he adds. 

Another potential reason that hackers are targeting universities might be that educational institutions are ‘rich pickings for intellectual property’, Woodward says. ‘If you can steal ideas right at the very beginning before their true worth has been identified and they’ve been put under appropriate protection, then you might be able to walk away with something of value and sell it on.’

‘Cyber criminals are always looking for targets with sensitive data and the education sector stores a wealth of personal and sensitive information,’ Rafay Baloch, an information security expert based in London, tells Chemistry World. ‘The avenues for monetisation of this data are enormous, ranging from extorting money through use of ransomware, to selling sensitive information on the dark web.’ 

Evolving threat

Over the years, ransomware attacks have changed, which means that getting rid of older systems and rebuilding them may not be enough, Woodward explains. That’s because hackers are increasingly stealing data and threatening to post it online unless a ransom is paid, he notes.  

A hack at the Dutch Research Council (NWO) in February led the funder to suspend services for more than a month. The NWO said the infamous cybercriminal gang DoppelPaymer was responsible for the attack and the agency declined to pay the ransom. 

Although it may be tempting, paying up can have ‘dire consequences’, Woodward says, as criminals who receive a ransom may return to blackmail once again, or the university or funder may be added to a list that is sold onto other cybercriminals. Law enforcement agencies usually strongly recommend refusing to pay. 

On 22 March, the NWO resumed services and hasn’t had any problems since. ‘Due to the hack several improvements (which were already planned for this year) have been implemented immediately, like an improved version of our virus scanner and renewed spam filter,’ an NWO spokesperson says. ‘Furthermore, our servers are monitored day and night by external specialists.’

Spike in attacks

Another incident occurred at the umbrella funding body UK Research and Innovation (UKRI) at the end of January. The agency, which has resumed the affected services, has since said no data was stolen and that it has made changes to its systems that ‘address the vulnerabilities that enabled the attack’.

Although it remains unclear who the culprits were, the UK’s National Crime Agency and the NCSC continue to investigate. The spike in cyber attacks may be due to the increased reliance on technology to conduct lessons online, Woodward adds. It may be that criminals realise that the stakes are high and educational institutions would be desperate to get their systems up and running immediately.

On 23 March, the NCSC released guidelines for educational establishments after a spike in recent ransomware attacks when the institutions were planning to welcome students back into the classroom after coronavirus restrictions were lifted in the UK. 

‘No organisation will ever be completely safe from cyber attacks, and it’s certainly a case of when not if,’ says Kate Edser, a spokesperson for Jisc, a non-profit that assists UK universities with IT network services and digital resources. ‘But there are measures universities and research centres can take to mitigate the risks and minimise the impact.’ For instance, the NCSC recommends a number of practical steps from enabling antivirus software to preparing tested offline back-up systems. 

A hack of a lab studying Covid-19 at the University of Oxford – one of several UK universities whose systems have been targeted – was discovered by the Wisconsin-based digital intelligence firm Hold Security in February when they spotted screenshots of graphs from the lab on the dark web. Alex Holden, the firm’s chief information security officer, says he was surprised not to instead see financial or marketable data being shared. According to Holden, the criminals who targeted the Oxford lab were operating out of Brazil and Columbia, communicating in Portuguese.

Woodward notes, however, that cybercriminals often set up shops in parts of the world where they aren’t based. ‘It’s very easy to obfuscate who it is that’s doing it,’ he says.