A recent Iranian-state sponsored hack exposes the flaws within higher education security practices

University networks are in the spotlight after an Iranian company allegedly carried out a spear phishing campaign to access institutes around the world.

The US Department of Justice (DOJ) last month released a statement indicting nine individuals said to be involved in a state-sponsored attack aimed at acquiring intellectual property from 3,768 professors at American universities.

Hackers also allegedly targeted UK universities, as the National Cyber Security Centre (NCSC) stated it was “highly” confident that the Mabna Institute – a research firm linked to the Iranian Revolutionary Guard Corps - was “almost certainly responsible” for the attacks.

Sanctions were placed on the Mabna Institute after US authorities claimed it had been operating the campaign for the last five years.

“The hackers targeted innovations and intellectual property from our country’s greatest minds,” said US Attorney Geoffrey Berman, noting that targets spanned fields of academia, and that the prosecution was the largest the DOJ had ever taken against a government-led cyber-attack.

The cyber-attack raised concerns surrounding relations with Iran, but also pointed to the levels of security within university networks, both in the US and UK, where it doesn't come as much of a surprise that even the brightest minds can fall prey to such targeted scams.

It just serves as a reminder that security needs to be constantly evolving, says Dr Sarah Morris, who leads the GCHQ-certified Digital Forensics Unit at Cranfield University in the east of England.

“We actually had a phishing attack this morning,” she told The Daily Swig. “And because you have a lot of people who aren’t as tech-savvy at universities, there’s a lot of misconception about the devices that they’re using.”

The recent spear phishing intrusion, the DOJ indictment states, was able to trick professors into providing their login credentials through emails where assailants posed as other professors interested in reading more of their work.

Links to the work in question were provided that, if clicked, directed victims to a malicious site resembling their University’s login page. 

Universities are an easy target

According to a 2016 survey taken by cloud service provider VMware, one in three universities in the UK alone experience cyber-attacks on an hourly basis.

An additional report by the Times also highlights the situation, showing how the number of attacks on British universities doubled from 2015 to 2017.

On a vast university network, filled with sensitive personal information, confidential research and a constant flow of incoming students and active alumni, phishing and denial of service (DoS) attacks are the most common.

These can come from an individual who simply wants to show off a newly acquired skillset but can also be attributed to malevolent actors who want access to specific types of material, and in rare cases, with intention to change that material.

Dr Morris said that institutions should be training staff and students in all departments to be concerned about security.

“All our staff, for instance, are trained in knowing what a phishing email looks like,” she said. “You can see that these attacks are happening more and more if they think there needs to be a training policy put in place.”

But complicated passwords, firewalls and employing different networks isn’t always enough, she explained, highlighting how security systems can only function properly if they’re exposed to habitual monitoring.

“If you start making password policies too complicated, or requiring users to change them too often, you’ll see that they start to form patterns with how they’re creating the passwords,” she said.

“You’re looking to strike a balance between usability and good security, but once that system is in place, monitoring, updating and testing that system often doesn’t follow.”

Dr Morris added: “I think there should be a standard minimum, definitely. But in terms of what works, policy needs to be adapted or customized depending on the type of user and the environment that you’re dealing with.”