A 22-year-old University of Western Australia (UWA) software engineering student faced a Perth Magistrates Court on September 1 charged with unlawfully using a computer and obtaining or to intend to gain an advantage.
UWA said there was no evidence that details of its 43,000 students, including photos, names, addresses, phone numbers and notes that the accused had access to during violation of the Callista student information management system, has been disclosed or used. The attacker would have accessed the system using the login of another student without the knowledge of this student.
The case follows a cyberattack against Deakin University in July. The education and training sector recorded the fifth highest number of reported cybersecurity incidents in the 2020-21 fiscal yearaccording to the Australian Cyber Security Center (ACSC).
Worldwide, higher education and research was the most targeted industry this year, according to Check Point. It reported that the industry “averaged 2,297 attacks against organizations each week during the first quarter of 2022, showing a 44% increase from the first quarter of 2021”.
We asked Australian managed security service providers their views on the UWA incident and why universities are being targeted.
Sprawling ICT systems
University computer systems are easier targets for cybercriminals than other organizations that store valuable data, such as banks or government agencies, argued MSSPs contacted by CRN.
This is partly due to the complex and sprawling nature of the university’s ICT systems, said Sekuro’s director of research and innovation, Tony Campbell. He noted that “the attack surface is wide and often open in some places, making them more difficult to defend against attacks.”
Managing Director of Stickman Cyber, Ajay Unni, pointed out that “the shift to remote learning and working has opened thousands of access points through laptops, tablets and smartphones on networks not controlled by universities, making it harder for them to protect against error or monitor usage.”
Universities are also in the difficult position of having to balance student and scholar autonomy with enforcement of security policies, said Michael McKinnon, Tesserent’s chief information officer.
“Maintaining the security of a student/academic network can be very difficult to achieve, and universities often cannot implement or enforce detailed IT policies because they must prioritize the freedom of academic research, in order to don’t stifle innovation – it’s great for the mission. of the educational institution, but runs counter to maintaining effective security risk control,” McKinnon said.
Links with industry and government
Student and graduate data and intellectual property are obvious targets for cyber attackers. “Universities hold vast amounts of valuable data about their students, teachers, service providers and other third parties. This includes sensitive information such as addresses, tax file numbers, emails, phone numbers and even medical information which is extremely valuable to malicious actors,” Unni pointed out.
The risk is compounded by the fact that academic data is often produced in partnership with government agencies and industry. Unni added that “many universities can conduct valuable research in critical areas like medicine and engineering with large data stores of valuable intellectual property that are highly sought after by other countries and competitors.”
For example, vaccine research has made universities targets, Campbell said. “During COVID-19, Australian universities were leading the charge in vaccine research and development and therefore making them even bigger targets for attack by nation states.” For instance, hackers obtained data on Pfizer’s covid vaccine research data from European Union medical regulator the European Medicines Agency at the end of December 2020.
Lone wolves, ransomware gangs and state actors
Despite public concerns about nation-state attackers, McKinnon says it’s unlikely a state actor was involved in the recent attack on UWA or the one on Deakin University.
In McKinnon’s view, these incidents were different from the 2018 “clearly sophisticated and targeted” attack on the Australian National University, which exposed 19 years of data and was performed by a foreign actor, according to ASIO.
“Regarding what happened to Deakin University in July 2022, it is evident that their bad actor used information obtained from a breach (using an employee’s leaked password) that was exploited by sending a TXT message spam of a common variety, apparently linking the motivation in this case to typical global cybercriminal activity,” McKinnon said.
McKinnon said there was “some consistency about the attack vectors – the technical mechanism used” in the academic data breaches.
Globally, most higher education breaches have been carried out through the use of stolen credentials, followed closely by ransomware, “alternate methods” and phishing, 2022 Verizon Data Breach Investigation Report found.
Unni said the attack on Deakin, which was facilitated by a third-party vendor, reminded organizations “of the significant risk of supply chain attacks.”
“These types of attacks are increasing at an exponential rate as networks integrate more third-party software,” Unni said.
“All companies, organizations and institutes – public and private – need to understand and recognize the risk of working with third-party vendors and put strategies in place, such as covering cybersecurity in vendor contracts, to help mitigate the risks. “