Phish in a barrel

Education IT managers and cybercrime experts sing like canaries as they reveal the criminally easy way digital bandits can empty your coffers…

Asked why he robbed banks, notorious armed blagger Willy Sutton replied, “Because that’s where the money is.” Nowadays, data is the cash cow and you don’t need a sawn-off to make an indecent living from nicking it. All it takes is a password on a Post-it or, better still, a patsy with an itchy right-click trigger finger.

“It’s not Ferris Bueller looking to change his grades. It’s not a robot uprising and it’s not Kim Jong-un wanting to know how many of your kids are getting free school meals…” trills Joshua, an upbeat but deadly serious IT security analyst manager for a British university, very much on the frontline of the cyberwars.

‘Joshua’ is a pseudonym; one that took them a lazy second to come up with and five minutes to explain. The upshot, though, is, “It’s the backdoor password the hackers use to get into the military computer in the film War Games. It’s a woefully inadequate password, by the way, and that’s one of the reasons we’re in this mess. But the geeks will get it.” That’s two 1980s Matthew Broderick film references in three paragraphs. “I’m a Broderick nut. I got into computers, and how hacking works, because of those films.”

So, if it’s not a rogue state or Matthew Broderick, Joshua – who is behind the unprecedented rise in cyber-attacks on British education?

Joshua sighs. “It’s usually just some young gobshite, probably working for a criminal gang somewhere and definitely someone who knows exactly which buttons to press – or rather, to get you to press – in order to, most popular right now, download their ransomware software – that’s what ‘phishing’ is.”

Hostage to fortune

The ransomware grift does exactly what it threatens on the tin: it takes data hostage and unless the victim pays a ransom – in an almost impossible to trace cryptocurrency like Bitcoin – the hostage-takers will destroy it, make it publicly available or sell it on to equally nefarious partners; or quite possibly do all three anyway – even after you’ve coughed up.

Right now, it feels like the entire cybercriminal fraternity is on a phishing trip to the UK education sector.

Image source: Dmitry Demidko/Unsplash

The pandemic has forced a corner of every British home to double as a classroom across the sectors. It’s almost certainly no coincidence that upheaval has created an opportunity for an unprecedented wave of hacking attacks – of a ransomware nature in particular, and some spectacularly successful – on British education.

You malware it well

From July to August 2020, Microsoft’s Global Threat Activity Tracker clocked over 8 million malware incidents, with education standing as the most targeted sector.

Among a plethora of mass attempts and successful attacks reported in March 2021 alone were:

  • The Harris Federation, custodians of 50 primary and secondary academies in London and the Home Counties, was hit with a cyber-attack that blocked email access to over 30,000 pupils
  • The Scottish Qualifications Authority (SQA) revealed that between December 2020 and February 2021, further education (FE) and higher education (HE) establishments in Scotland were hit by more 860,000 phishing emails
  • And in early March, East Midlands education trust NOVA had to shut down and ‘clean’ the entire IT system across 15 schools following, “a sophisticated cyber-attack”.

At the same time, the University of the Highlands and Islands IT capability was shut down by a ransomware attack hidden in Cobalt Strike code – software actually developed for cybersecurity.

“I mean,” scoffs Joshua, noting the irony of the above, “it’s just taking the piss!”

Reality bytes

Cyber-attacks were, of course, happening before the pandemic.

“But like nothing on this sort of scale,” says Dr Maria Bada, cybersecurity expert and research associate at Cambridge University’s Cybercrime Centre

“With teachers and students all working remotely, unassisted, in home environments, on a range of devices, the defences in place at an institution are weakened. Each individual working at home could potentially click on a phishing attack – it could even be done through kids playing online games that allow software in that then accesses a school’s system, so you can’t really control or react quickly to what everyone’s clicking. It’s been a very distracting, sometimes confusing time – which criminals love.”

“Each individual working at home could potentially click on a phishing attack – it could even be done through kids playing online games that allow software in that then accesses a school’s system, so you can’t really control or react quickly to what everyone’s clicking” – Dr Maria Bada, Cybercrime Centre, Cambridge University

The Cybercrime Centre’s research before and during the pandemic has shown that educators simply don’t expect to become victims. “I think – I hope – people are waking up to this now. I keep hearing things like, ‘Well, we’re just a local school, what can we possibly have that a cybercriminal would want?’ Well, when your system’s been shut down by a ransom demand, you’ll find the answer to that almost immediately. It’s not just about losing data, it’s the terrible disruption.”

“It’s not just about losing data, it’s the terrible disruption” – Dr Maria Bada, Cybercrime Centre, Cambridge University

In fact, there’s nothing particularly special about education’s attraction to cyber-gangsters. “All systems are a target,” says Kevin Curran, professor of cybersecurity at Ulster University and group leader of the Cybersecurity and Web Technologies Research Group. “Y’know, some kid, writing code and sending out bots on behalf of crime gangs – and that’s what they are, these are heavyweight people: drugs, weapons, human traffickers, at the very top in search of finance. This is much safer, much more lucrative than robbing banks – and doesn’t have issues with the UK’s education system. Education is just a massive set of infrastructures, full of opportunities to gain access to.”

The criminals targeting your system don’t care about your data. They simply know that *you* do.

“It won’t just ruin your day; it can ruin careers and lives,” says Kevin Curran “But,” sensing a need for some reassurance, “you shouldn’t take it personally,” he added.

Few of the criminals targeting the sector could be described as geniuses. “You can easily buy the programs you need for ransomware attacks online.” And you can just as easily fall for them. “Everyone has…and they’re just getting better and better. It’s quite relentless. But…we’re human beings, living hectic lives; you might be trying to get your kids in the car for school and you see an email from Netflix saying there’s something wrong with your billing, and all you want is the day to end so you can watch the last episode of Breaking Bad, so you click the link and then…”

Cyberman up?

It is, say all the voices in this interview, important to remember that if individuals have fallen prey to ransomware, they are an innocent victim of crime. Report it. Accept that it’s happened. But don’t beat yourself up about falling for it.

Image source: sastock/Freepik

“We (the university), and I hope other places do, too, take the view that it’s a horrible thing to happen to someone – the same as getting mugged or robbed in the real world,” says Joshua. “I very nearly fell for one, and it’s my job to be on top of this. I was working on a large purchase with the accounts department. I got an entirely legitimate email from the accounts manager with one tiny detail changed – the bank account number. Everything was correct with the email, but I called them to check, thank God I did, because I was being phished.” What made it worse was the software had clearly been embedded for a long time and being observed remotely, “just waiting for the right opportunity – a large cash transaction – and then putting things in motion”.   

Keeping a lid on it

That all said, the true scale of successfully targeted cyber-attacks is difficult to measure when some schools and universities, says Kevin Curran, are clearly weighing up the financial cost with the reputational hit.

They might be tempted to pay up and keep schtum.

But that’s a risky strategy, warns Maria Bada. 

“Not reporting a cyber-attack is a big issue. Things can escalate quite easily, especially if you pay the ransom, because what’s stopping you becoming a victim again? We’ve seen many cases of repeated ransomware attacks; it may be the same gang or word may just get out to others that you’re an easy victim.”

Kevin Curran agrees, but posits that there is some logic to cyber-gangs staying true to their word and restoring order to your defiled files.

“And, y’know, they’re criminals at the end of the day, there’s no guarantee they won’t come back. Either way, you’re going to have to assume that your system is compromised and wipe it down from the ground up” – Kevin Curran, Ulster University

“Call it a kind of honour amongst thieves,” he chuckles. “I mean, it’s not a great business model if they just take the money and run or they keep coming back for more if they think you’re a soft touch – so it can be useful for these guys to let their current victims know that their last victims paid up and everything was decrypted and returned. It actually works in their (the criminals’) favour. But sometimes, even if they do honour their word and send the decryption key, it won’t work. And, y’know, they’re criminals at the end of the day, there’s no guarantee they won’t come back. Either way, you’re going to have to assume that your system is compromised and wipe it down from the ground up.”

Taking a stand

One solution might be for potential victims (that’s you and every other legitimate concern with a hackable database) to pledge not to pay ransoms. Even make it illegal to do so.

This has become a trending proposition from law-enforcement agencies globally and it’s being mooted by the recently formed Ransomware Task Force – an alliance of the world’s top cybersecurity bodies. Criminalising ransom payments has already divided opinion in the nascent coalition, but there’s agreement on a proposal to make it a legal obligation to report attacks.

“Refusing to pay a ransom is all very well and it might work for public sector concerns – schools – but in other sectors, even private schools, it’ll be like any hostage situation; when it’s your child with a gun to their head…well, you’re going to pay up if you can afford to. It’s all paid in cryptocurrency – it’s very difficult to trace, why would you tell, say, the government about it?”

Interestingly, the criminal enterprise has seen the cybersecurity industry move into territory reminiscent of the bad old days of the 1970s, when actual kidnapping was a popular organised-crime side hustle. “Just like the hostage negotiators in the past, you have ransomware negotiators working online – people who really know what they’re talking about, making bargains with the ransomware criminals. It’s becoming a big thing in the cybersecurity industry.” 

Time to don your digital PPE

Just as washing our hands for 20 seconds became the mantra of various lockdowns, so we should be taking basic security-hygiene measures to deal with this digital disease, says Maria. “It really is things like choosing weak passwords or just not thinking about clicking a link because it looks familiar, that make phishing attacks so successful,” says Maria. “It’s so simple for the criminals – they don’t have to do anything other than wait for someone to bite. The whole culture around cybersecurity has to change very quickly. The threat is constantly evolving – like a virus – and, like a virus, we need to be prepared, to know what new strain we’re dealing with from day-to-day.”

Kevin agrees: “We need to be educating the educators. It really needs to be a priority. You can have a really great IT security system and team in place, but if the non-techie people it serves aren’t using strong passwords that they’re not writing on a Post-it and sticking on their desk, or scrutinising emails that have got through a firewall, just taking a minute to think about what they’re about to click on, it’s set to fail.”

“You can have a really great IT security system and team in place, but if the non-techie people it serves aren’t using strong passwords…it’s set to fail” – Kevin Curran, Ulster University

Spooked by the massive upsurge in attacks (attempted and successful) during the lockdowns, the National Cyber Security Centre – part of GCHQ – have launched a comprehensive new online training course for education establishments.

“It’s absolutely vital for schools and their staff to understand their cyber-risks and how to better protect themselves online,” said Sarah Lyons, NCSC Deputy Director for Economy and Society Engagement, when launching the course. “By familiarising themselves with this resource, staff can help reduce the chances of children’s vital education being disrupted by cybercriminals.”

As Joshua concludes: “IT departments in every establishment really should be striving for the Cyber Essentials accreditation which is also run by the NCSC. That said, you’re only as strong as the culture of your staff and students. It’s a bit of a pain, I know, but I think there does need to be some kind of mandatory awareness course everyone should go on.”  

Leave a Reply