The Education sector in the US has been relentlessly targeted by cybercriminals over the past 2-3 years. Attacks grew both in frequency and the damage they caused as classes moved online in 2020, (following the beginning of the Covid-19 pandemic) and massive volumes of data were made accessible to students, teachers and administrators over the internet. Cybercrime in the sector continued to increase after the worst phases of the pandemic were over. According to cyber-attack trend data released by Check Point Research, the education sector was the most attacked globally in 2022. Educational institutions as a whole were hit by 2,314 attacks per week – an increase of 43 percent over the previous year.

Attacks against colleges in the US in 2023

In 2023 alone, the Tennessee State University in Nashville, Lewis & Clark college, the Southeastern Louisiana University, Rice University in Houston, Georgia Tech in Atlanta, and George Washington University in Washington, DC., (and multiple other colleges) have all been targeted by cyber incidents and breaches, signaling that the high frequency of attacks in 2022 is not about to go down this year. In May 2022, Lincoln College in Illinois became the first higher-ed institution in the US that had to shut down because of the debilitating effects of a ransomware attack.

Why is higher-ed an attractive target for cybercriminals?

• Massive datasets – Higher Education institutes are attacked frequently because of the massive volumes of data that pass through their networks. This includes students’ personal, financial and health information; data about employees; applications and enrollment forms; information related to financial aid, its recipients, and donors; research papers; coursework and study material, and a lot more. A successful attack could mean control over all this data and opportunities to hold it to ransom, sell it or use it in future attacks.
• Larger attack surface due to increased digitization – The Covid-19 pandemic necessitated moving classes online almost overnight. Universities and colleges had to create and enable a whole digital infrastructure to make this possible, at the cost of vastly increased exposure to cyber attacks.
• Low security budgets in colleges – While the transition to online classes was managed by all institutions, this was not accompanied by a corresponding increase in security controls to protect exposed data. Universities continue to struggle with cybersecurity due to its high costs and because many institutions don’t have the budgets and the expertise to build strong cyber defenses.
• Large number of unmonitored devices – What’s also a problem is that the students accessing university services and course material online often don’t prioritize security, and don’t have sufficient information and awareness about secure remote access, leaving their devices and their institutions vulnerable to intrusion.
• Unpatched, buggy, or end-of-life software – Education sector organizations with low cybersecurity budgets may not have a solid patch management program or rely on end-of-life software that is no longer supported by vendors, leaving huge security gaps and creating easy entry points for criminals. They may also use software not built with security in mind (like some remote communication and video conferencing tools) exposing them to new attack vectors that they can’t control.

What are the threats and risks?

Phishing and social engineering – Many threat groups carry out organized phishing campaigns targeting higher education institutions, using email addresses that may have been exposed in earlier breaches or scraped from publicly accessible sources. Phishing is often the initial access method used in larger attacks, and because of the interconnected and open networks in campuses, even a tiny percentage of students or employees taking the bait can have dire consequences.

Exploitation of remote access services – Threat actors can also gain access to university networks by exploiting vulnerabilities in remote access software, which is often essential to the functioning of higher ed institutions. Once a connection is made, attackers can employ a range of techniques to elevate privileges, move laterally across the network and get access to protected data.

Ransomware attacks – As many as 66 percent educational institutions worldwide were hit by ransomware in 2021, and attacks continued in 2022. Higher education institutes are among the slowest to recover from ransomware attacks, and in May 2022, Lincoln College in Illinois became the first higher-ed institution in the US that had to shut down because of the debilitating effects of a ransomware attack.

Data breaches – One of the biggest reasons educational institutes are so attractive to criminals is the rich datasets that they store. Inadequately protected data and weak defenses can lead to massive breaches, with university data ending up for sale on the dark web or exposed online. The FBI even issued an advisory about credentials and network access information about a large number of higher ed institutions being sold in cybercriminal marketplaces.

Extended network shut-downs – Successful attacks can lead to network shut-downs that may last several days or weeks. For higher-ed institutes, successful recovery from attacks may even take months, disrupting university operations, delaying course completion and interfering with enrollment processes, depending on the timing of the attack.

Ransomware in the Education Sector

Sophos’ 2022 State of Ransomware Report found that 66 percent higher education institutions were hit by ransomware attacks in 2021, and that 50 percent organizations paid the ransom to get their data back. The sector reported the highest encryption rate (74 percent) of all sectors, and took the longest to recover from an attack.

Nine percent respondents reported a recovery time of 3-6 months, which is more than double the global average of 4 percent. The Sophos study also found that only 78 percent educational institutions had cyber insurance coverage, which is lower than the cross-sector average of 83 percent.

Lincoln College shut-down due to ransomware

In 2022, Lincoln College in Illinois became the first higher-ed institution in the US that had to shut down because of a ransomware attack. The school had already been dealing with extreme financial stress due to the effects of the Covid-19 pandemic when it was hit by a cyber attack in December 2021. The attack “thwarted admissions activities and hindered access to all institutional data, creating an unclear picture of Fall 2022 enrollment projections”, the college stated on its website in May 2022. By the time systems were fully restored in March 2022, “the projections displayed significant enrollment shortfalls, requiring a transformational donation or partnership to sustain Lincoln College beyond the current semester.”

Recent cyber attacks targeting US Universities

The higher education sector in the US has already been targeted by multiple cyberattacks in 2023. Incidents that made news recently include attacks against Lewis & Clark College, Tennessee State University in Nashville, Southeastern Louisiana University, Rice University in Houston, Georgia Tech in Atlanta, and an extended phishing campaign that targeted George Washington University in Washington, DC.

Lewis & Clark

Lewis & Clark College in Portland, Oregon, was hit by a ransomware attack on March 3, which “significantly impacted almost all systems on campus.” The threat actor that carried out the attack – Vice Society – said that a they had published a limited amount of college data on the dark web. Lewis & Clark will not be paying ransom, and will be restoring systems using backups.

Five Louisiana Campuses

In late March, five college campuses in Louisiana were warned by the Louisiana State Police Cyber Crime Unit of possible network intrusions. All five colleges (The University of New Orleans, LSU AgCenter, Southern University in Shreveport, Nunez Community College and River Parishes Community College) temporarily switched off internet services in response to the tip off, to operationalize cybersecurity.

Tennessee State University

On March 1, 2023, Tennessee State University in Nashville notified students of a ransomware attack that brought down its IT systems. The University said that students would be able to access their email and Zoom, but other services like campus VPN, wireless network and access to external websites would be shut down for a few days.

Southeastern Louisiana University

The Southeastern Louisiana University had to shut down its network as a preventative measure after it discovered a cyber incident on Feb 23, 2023. While this led to delays in the completion of coursework and classes had to be conducted online, there is so far no evidence of a data breach.

Rice University, Houston

A recent ransomware campaign targeted several universities in the US and Central Europe, according to a Reuters report. One of the victims of the campaign was Rice University in Houston, Texas, which released a statement saying that its network was secure and “A nonessential system that was affected was promptly contained.”

Georgia Institute of Technology

The same campaign (which has been exploiting an old vulnerability in VMWare servers), also targeted the Georgia Institute of Technology, commonly known as Georgia Tech, in Atlanta.

George Washington University

The George Washington University sent out an email on Feb 1, 2023, saying that a malicious intruder had gained access to the university directory and launched a phishing campaign. The attacker(s) obtained first and last names, departments and positions, official email addresses, office phone numbers and campus addresses of students, faculty, staff and alumni and sent a series of emails over a period of several months posing as community members.

How Universities can stay protected

Timely patching – An effective patch management program that ensures timely patching of all software is one of the most cost-effective ways to prevent attacks. Known exploited vulnerabilities must be patched on priority.

Sensitive data discovery and protection – Universities must leverage solutions that help discover unprotected/unencrypted sensitive data stored on their systems and take appropriate measures to secure this data.

Secure configuration – All systems and applications must be securely configured based on best practice standards and frameworks. Configuration drift can be avoided by scheduling regular scans.

Phishing simulation and security awareness – Instituting engaging cyber awareness programs and phishing simulation exercises is another simple way to build a security-first culture and prevent bad security practices.

Strong passwords and MFA – Not just IT and security teams but students and faculty across the board should know the importance of strong, unique passwords. Multi-Factor Authentication (MFA) must also be enabled on all systems and services, and mandated by policy.

Strong access control policies – Access control must be strictly monitored and designed based on the principle of least privilege.

Network segmentation – University and campus networks must be segmented, and micro-segments implemented to prevent lateral movement of attackers if they manage to access a part of the network.

Monitoring, detection and response – Institutions must also leverage modern detection and response tools to find anomalous activity patterns in real time and neutralize attacks before they can cause major damage.

How CYRISMA can help

CYRISMA’s multi-feature SaaS platform enables educational institutions to manage risk in a holistic, cost-effective manner. By combining essential cyber risk management tools like vulnerability scanning, sensitive data discovery, secure configuration scanning, and dark web monitoring in a single platform, CYRISMA lets you streamline and simplify your cybersecurity processes.

With CYRISMA, you can:

• Find and secure sensitive data that may be left unprotected on institution systems, Google Workspace apps, and Office 365 without the knowledge of data owners (students, staff) and IT
• Discover and mitigate system vulnerabilities before they can be found and exploited by cybercriminals. Get to the root cause of vulnerabilities to address them effectively.
• Monitor Active Directory and Azure AD without any specialized knowledge
• Scan for and fix Operating System configuration weaknesses, mitigate risk, and meet regulatory compliance requirements.
• Conduct Cybersecurity Assessments to evaluate the tactical security posture of the university and easily communicate the risk level to the board

Request a demo today to see how CYRISMA can help your organization strengthen cybersecurity defenses and reduce the ris​