A 22-year-old University of Western Australia (UWA) masters of software engineering student faced a Perth magistrate’s court on September 1 facing a charge of unlawfully using a computer and gaining or intending to gain a benefit.
UWA said there was no evidence that its 43,000 students’ details, including photos, names, addresses, phone numbers and grades that the accused allegedly had access to during the breach of the student information management system Callista, had been leaked or used. The perpetrator allegedly accessed the system using another student’s login without that student’s knowledge.
The case follows a cyber security attack on Deakin University in July. The education and training sector had the fifth highest number of reported cyber security incidents in the 2020-21 financial year, according to the Australian Cyber Security Centre (ACSC) reported.
Globally, tertiary education and research was the most targeted industry this year, according to Check Point. It reported that the sector “had an average of 2,297 attacks against organisations every week in the first quarter of 2022, showing a 44 percent increase compared to the first quarter of 2021.”
We asked Australian managed security services providers for their view on the UWA incident and why universities are being targeted.
Sprawling ICT systems
Universities’ IT systems are easier targets for cybercriminals than other organisations that store valuable data, such as banks or government agencies, argued the MSSPs CRN contacted.
This is partly due to the complex and sprawling nature of university’s ICT systems, pointed out Sekuro director of research and innovation Tony Campbell. He noted that "the attack surface is broad and often open in certain places, making them harder to protect against attacks."
StickmanCyber chief executive officer Ajay Unni pointed out that “the shift to remote learning and remote work opened up thousands of access points via laptops, tablets and smartphones on networks not controlled by universities, making it harder for them to protect against a mistake or monitor usage.”
Universities are also in the difficult position of having to balance students’ and academics’ autonomy with enforcing security policies, pointed out Tesserent chief information officer Michael McKinnon.
“Maintaining the security of a student/academic network can be very difficult to achieve, and universities often cannot implement or enforce detailed IT policies because they must prioritise the freedom of academic research, so as not to stifle innovation – this is great for the mission of the educational institution but runs counter to maintaining effective control of security risks,” McKinnon said.
Industry & government links
Student and alumni data and intellectual property are obvious targets for cyber attackers. “Universities hold large amounts of valuable data on their students, faculty, service providers and other third parties. This includes sensitive information like addresses, tax file numbers, emails, phone numbers and even medical information that is extremely valuable to malicious actors,” Unni pointed out.
Compounding the risk is the fact that university data is often produced in partnership with government agencies and industry. Unni added that “many universities may be carrying out valuable research in critical areas like medicine and engineering with large data storages of valuable intellectual property that is highly sought after by other countries and competitors.”
For example, vaccine research has made universities targets, said Campbell. “During COVID-19, Australian universities were leading the charge on vaccine research and development and therefore making them even bigger targets for nation-state attacks.” For instance, hackers obtained data about Pfizer’s covid vaccine research data from the European Union’s medical regulator the European Medicine Agency in late December 2020.
Lone wolves, ransomware gangs and state actors
Despite public concern about nation-state attackers, McKinnon argues it’s unlikely a state actor had any involvement in the recent attack on UWA or the one on Deakin University.
In McKinnon’s view, those incidents were unlike the “clearly sophisticated and targeted” 2018 attack on Australian National University, which exposed 19 years of data and was executed by a foreign actor, according to ASIO.
“As for what happened to Deakin University in July 2022, it is evident that their bad actor used information obtained from a breach (using the leaked password of an employee) that was leveraged by sending TXT message spam of a common variety, seemingly connecting the motivation in that case to typical global cybercriminal activity,” McKinnon said.
McKinnon said there was “some consistency on the vectors for attack – the technical mechanism that is used” in university data breaches.
Globally, most breaches of higher education have been achieved through using stolen credentials, closely followed by ransomware, ‘other methods’ and phishing, Verizon’s 2022 data breach investigation report found.
Unni said that the attack on Deakin, which was facilitated through a third-party vendor, was a reminder to organisations of “the significant risk of supply chain attacks.”
“These types of attacks are increasing at an exponential rate, as networks incorporate more third-party software,” Unni said.
“All businesses, organisations and institutes - both public and private - need to understand and acknowledge the risk of working with third-party vendors and put strategies in place, like covering cybersecurity in supplier contracts, to help mitigate risk.”
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
