Cyber-criminals are targeting UK university research in the hope of stealing valuable or secret intellectual property, according to the Times.
Freedom of Information requests revealed that more than 1,152 successful intrusions were made into university networks in 2016 alone, double the number recorded two years before. One unnamed institution recorded between 1,000 and 10,000 attempted attacks in a single month, of which most traced back to China, Russia and the Far East.
Details for Scotland’s universities have not been released, despite several high-profile incidents targeting Scottish organisations in recent months. According to a report published at the end of July by the Scotsman, over 60% of Scottish councils and 50% of Scotland’s health boards have been the subject of a cyber-attack since 2014.
During this same three year period, 9 of Scotland’s 15 universities claimed that they had been hit by some form of cyber-intrusion.
According to more recent reports, thieves sought data and documents on university Research & Development projects including missiles, stealth fabrics used for camouflage and improved battery technology.
Hackers also sought medical records held by university hospitals, but the institutions in question declined to comment on the nature of this research. The Times speculated that thieves were most likely stealing the data on behalf of foreign interests, or looking to sell the potentially-valuable information to the highest bidder.
Ciaran Martin, Head of GCHQ’s National Cyber Security Centre, claimed that high-level attacks such as these, “threatened national security.” He added that the UK has suffered 188 high-profile incidents this year, including attacks from Russian interests attempting to steal defence and foreign policy secrets.
Carsten Maple, Director of Cybersecurity Research at Warwick University, urged universities to tighten their cyber-defences: “Universities drive forward a lot of the research and development in the UK. Intellectual property takes years of know-how and costs a lot. If someone can get that very quickly, that’s good for them. Certainly somebody might attack a university and then provide that information to a nation state.”
He also claimed that national infrastructures are at equal risk: “What’s also increasing are cyber-physical attacks where our buildings are affected. Heating, ventilation and management systems are connected to the internet. That’s especially worrying for places like the health service.”
Ransomware, phishing and denial of service attacks were all deployed against university networks in 2016, in attempts to overload or siphon information from servers. The Freedom of Information requests found that in 2016 the University of Oxford had experienced 515 cases of unauthorised access to its accounts, while University College London suffered 57 successful attacks. The leader, however, was Queen Mary, University of London, which said it had blocked 38.75 million attacks over 2016.
He said to DIGIT: “Universities thrive on IP (Intellectual Property) and often have NDA and contractual agreements around their work. They are thus open to attack from malicious entities which might want to get source code or steal secrets. This could be used to gain an advantage for product development, but could obviously be used as a ransom (as we see with Game of Thrones).
“With GDPR there will be massive fines (up to 4% of global turnover), so we could see a rise in extortion, and where hackers go after sensitive data, such as from HR or student records, and breach systems, in order to offer a ransom for the recovery of the data. I have seen cases of “bounty hunters” who have been probing academic systems, and then show us partial data, and offer a fee in order to reveal the true depth of the discovered data.
“Unfortunately academic systems are rather more open than many corporate systems, so are, possibly, more open to intruders. Our firewalls are often open to a whole range of service ports, as there are many protocols that we run as part of teaching and research, but we can see a change where increasing amount of network traffic will be tunnelled through white listed systems.”
Dr. Tine Munk, programme leader of the MSc in Cybercrime and Digital Investigation at the University of Middlesex, London, also noted that the stakes were higher when experimental research was concerned. Dr. Munk said: “Ground breaking research is carried out by researchers at universities. It is possible to list many different scenarios where a cyber-attack can have a significant impact on research as well as affect the reputation of the university and the researchers. For example, confidential data about students, staff members and the university can be compromised or stolen and/or published.
“Research is a sensitive area. If the university’s internal system is hacked, it can have a major impact on research projects. If the hack is discovered, the project can fall apart as there would be a suspicion about the validity of the data; did the hackers get access to the research? Did the hackers compromise the data? Can the data reveal the identity of participants in the project? There are a number of concerns related to a hack. The worst-case scenario is if hackers change data, then the whole research project can be delayed or fall apart if it is discovered – or even worse, if it is not discovered it will have long term consequences. In this case, other academics and practitioners might base their knowledge or research on the damaged data. Imagine a ground-breaking cancer research being compromised? It is not only money and prestige that is at stake for the researchers and the university, but it will have unimaginable consequences for cancer patients.”
There are already moves afoot in Scotland to take a more pro-active approach to data security. The University of Aberdeen is behind a new international project examining preventative measures which could stop people from downloading malware. The three-year £1 million initiative will investigate ‘persuasive technologies’ which disguise malware and make it more attractive for unsuspecting internet users. The project is backed by an investment of £756,000 from the UK Engineering and Physical Sciences Research Council (EPSRC), and has recognition from other universities in Europe, the US, Aberdeen City Council and National Grid.
Dr. Munk gave a fantastic overview of the security landscape. Dr. Munk said to DIGIT: “Researchers know what is at stake and they are generally good a protecting their data. They are using encrypting software to protect their material and they back up their research on secure servers. Moreover, universities are providing researchers with a wide range of security software. However, when humans are involved, mistakes are likely to happen which unintentionally opens the entire system to hackers. People forget to protect material or use older, not updated, security software.
“Currently, there is a growing number of spam and phishing emails circulated at universities. These emails addresses are similar to the universities own email address. As a result, the emails do not look suspicious and therefore, emails are opened which can trigger compromising software. Universities are working hard to spread information about these spam/phishing emails as well as constantly updating the internal security system. Yet, there are other threats to the systems. For example, the whole idea of having unrestricted access can make the system more vulnerable to hackers; just as well as students and staff members using own devices plugged into the university system constitutes a security risk.
“Staff members and students are being warned about the risk of phishing emails, data losses and other forms of disruption to internal systems. However, it is worrying that this trend of hacking universities is continuing to grow despite the efforts of the universities to keep these systems safe. The question is, do the users of the university’s internal system know enough about how to use the system safely? Do the users have enough information about the different threats they face? And do the users know enough about how they can avoid compromising the system? It is not enough just to warn the users; cyber security education should be a requirement to everyone before accessing the system for the first time. This training should be followed up on a regular basis. At the moment, there is not enough basic cyber awareness and education available about all the risks of using the university system.
“Nevertheless, it is not only the lack of security knowledge among students and staff members which can cause disruption. The Internet-of-Things is a new route for hackers to gain access to the university system. According to the Verizon 2017 Data Breach Digest, an unnamed university was attacked by 5,000 campus devices from its vending machines to light sensors, “and all IOT devices”. The IoT is an area which largely is unregulated and unprotected. Smart light bulbs, alarms, smart TV, smart whiteboards, sensors, vending machines, are just a few examples of devices which are linked to the internet, but these devices are generally not considered to be dangerous. Instead, to monitor and manage a campus, everything from light bulbs to vending machines is connected to the network for ease of management and improved efficiency. What is often overlooked is that the IoT forms a similar threat to the university’s internal system as ordinary computing devices. Yet, the IoT is unprotected but interconnected to the internal system at universities – and hackers are aware of that.”