Subscribe to our free fortnightly newsletter and stay ahead with the latest news in edtech

Cyber attacks on colleges and unis: who, when and why?

Data collected by Jisc about attacks on the national research and education network, Janet, raises suspicions about staff or students

Posted by Julian Owen | September 27, 2018 | Higher education

Head of Jisc’s security operations centre, Dr John Chapman, explains

It’s notoriously difficult to identify individual cyber criminals, but data Jisc has collected over the past few years has built up a picture of who may be launching attacks on the UK’s colleges and universities based on when they do it.

When the data is collated into graphs, clear patterns emerge.

Who and when?

The graph, below, shows the number of DDoS attacks (designed to slow down or disrupt Jisc's members’ networks) that have been seen on Janet over the past year. It also shows the peaks and troughs within the year. The troughs, when the number of attacks decreases dramatically, always appear during holiday times.

Black bars indicate holiday times – summer 2017; Christmas; Easter; May half term; summer 2018

This pattern could indicate that attackers are students or staff, or others familiar with the academic cycle. Or, perhaps, the bad guys simply take holidays at the same time as the education sector. Whichever the case, there’s no point sending a DDoS attack to an organisation if there’s no-one there to suffer the consequences.

Another interesting finding is that the usual dip in attacks, during summer 2018, started earlier than the same time last year. The heat wave weather this year could have been a factor, but it’s more likely due to international law enforcement activity – Operation Power Off took down a ‘stresser’ website at the end of April.

Stresser sites basically sell DDoS packages to customers who want to attack internet services, under the pretence of “testing” them to see how well they would cope with a DDoS attack. Operation Power Off also targeted owners and customers of the stresser service, leading to other similar illicit businesses going offline as well.

This resulting dearth of attacks for hire, alongside the deterrent effect of the police operation, could explain the reduction in attacks seen on Janet since April.

In the graph below, the distribution of attacks over the day shows that it’s quieter at night, while the number of attacks start to ramp up at 8am, peak between 9am and early afternoon, and then die off again.

Interestingly, when comparing the time distribution for the first eight months of 2018 to January to August 2017, there have been slightly fewer attacks starting in the early hours, but more in the core of the day; also, the peak continues for longer. Last year the number of attacks started to wane from 1pm, this year it is 2pm.

Part of Jisc's role is to monitor the network, and they noticed several attacks at a college earlier this year. These started at 9am and finished at 12pm, began again at 1pm and finished at around 3-4pm. This suggested that the perpetrator was someone who wanted to get online at lunchtime, but didn’t want to do any work during the day. Could a member of staff get away with that, or was a student to blame?


Jisc say they can only speculate on the reasons why students or staff attack their college or university: for the “fun” of disruption and kudos among peers of launching an attack that stops internet access and causes chaos; or because they bear a grudge for a poor grade or failure to secure a pay rise.

Occasionally, Jisc can pinpoint the exact reason for an attack. A while back they noticed a DDoS attack against a university, so activated the mitigation service, which reduces the impact of an attack. A couple of hours later the same institution was targeted again.

The attacks went on for four days and most were occurring at night, so Jisc worked with the university to identify the target, which turned out to be the halls of residence, which raised further questions. They looked at what else was happening on the network at the same time as the attacks and found a lot of traffic going to online gaming websites.

Further investigation showed that a student in halls had been playing an online game and had attacked another gamer to try and secure an advantage. What they saw coming over the network and into the hall of residence was a revenge DDoS attack.

One student convicted for offences, connected to the 2015 TalkTalk incident, stated he was “just showing off to my mates”. That student had also targeted the University of Manchester and Cambridge University Library.

Adam Mudd was also prosecuted for cyber attacks against his college. Mudd admitted to attacking West Herts College, where he was a computer science student. This attack also affected 70 other institutions in the region, including the universities of East Anglia, Essex and Cambridge. Mudd’s explanation for one of his attacks is that the college had not acted when he had reported that he had been mugged.


If a student is caught engaging in illegal online activity like this, it would be up to the college or university to discipline that student. If they want to try and prosecute, they can ask Jisc to help provide evidence, but this doesn’t happen often.

Most of the time when cyber attackers are caught and convicted it’s because they make mistakes. For example, a former student from Stockport who was in court last year for attacking the Janet Network, the National Crime Agency, and several multi-national businesses, was identified because he failed to cover his tracks.

Jisc operate a zero-tolerance policy to attackers and gave evidence to the police which helped trace and convict the young man. In his case, the motivation was money: Jack Chappell was working with a criminal gang.

Get serious

So, there is evidence, both circumstantial and from the justice system, to suggest that students and staff may well be responsible for many of the DDoS attacks seen on the Janet Network. Jisc’s security operations centre is there to help mitigate attacks on its members, but colleges and universities are responsible for their own cyber space and should not under-estimate the potentially huge financial and reputational impact of a network outage.

Unfortunately, there are far more serious criminal players at work that organisations ignore at their peril. It’s likely that some of these more sophisticated attacks are designed to steal intellectual property, targeting sensitive and valuable information held at universities and research centres.

The blame could lie with criminals intent on selling information to the highest bidder, a business wanting to uncover a competitor’s secrets, or a foreign power trying to gain political leverage. Security agencies, including the National Cyber Security Centre and the FBI, have already warned of state-sponsored attacks by countries, including Russia, and the education sector is just as much at risk as any other in the UK.

However, despite these very real and serious threats, Jisc's 2018 security posture survey among members showed such cyber attacks were not considered a priority by its members, and they should be.

When it comes to cyber security, complacency is dangerous. Jisc say they do everything they can to help keep our members’ safe, but there’s no such thing as a 100% secure network.

Subscribe to our free fortnightly newsletter and stay ahead with the latest news in edtech

Related stories

Learning analytics provision to boost student experience

FE students favour real-world help with digital skills

Improving the learner experience for FE students

Market place - view all

European electronique

UK leading supplier of ICT solutions for the public sector, educat...


Leading IT infrastructure provider of software licensing, hardware...

Casio Electronics Co Ltd

Casio is a market-leading global electronics manufacturer. It launc...