UK universities are an attractive target for both financially motivated cybercriminals and nation states, according to a new report from the National Cyber Security Centre (NCSC).

The NCSC, a branch of GCHQ, warned that while lower-level attacks from cybercriminals are more common, state-sponsored cyber espionage is “likely to cause greater long-term damage”.

The trove of intellectual property from research projects is of particular value to nation states, as well as the personal information of staff and students.

The NCSC said that the openness and “outward-facing” nature of universities – intended to encourage academic collaboration – makes them a softer target for cyberattackers.

“Sensitive research may be targeted for its defence or commercial value, and its loss is likely the most detrimental of all to both the affected university and to the UK as a whole,” the ‘Cyber Threat to Universities’ report stated.

“Likely effects include damage to the value of impacted research and intellectual property for both individual researchers and the institution. The attractiveness, relevance and value of an impacted university as an investment partner will also be negatively affected. And at a wider scale, the knowledge advantage of the UK will suffer.”

Cyberattacks against UK universities fall into the wider context of increasing state-sponsored attacks, with China, Russia, Iran and North Korea having all conducted state-sponsored cyberattacks against the UK in the past two years.

University cyber threat: “Prime target for phishing”

In one university cyberattack, Iranian threat actors set up more than 300 fake websites and login pages for 76 universities around the world – including some in the UK – to steal university login credentials.

“Universities are a prime target for phishing because of their diverse user base, including students, faculty, governors and even parents,” said Jordan Wright, principal R&D engineer at cybersecurity firm Duo Security.

“Universities hold a large amount of information such as sensitive Personally Identifiable Information (PII), payment details and valuable grant-funded research all of which can prove to be valuable to motivated attackers.”

The NCSC advises for more cyber awareness training for students, keeping on top of access controls when students and staff leave and ensuring good network security.

However, Matt Lock technical director at cybersecurity firm Varonis, warned that it will be a challenge for universities to keep ahead of attackers.

3 Things That Will Change the World Today

“The recommendations from the NCSC are spot on, but some universities will struggle to change outdated systems, gain control of digital files that are everywhere and open to everyone, and update information access to a least-privilege model,” he said

“Funding is one factor, but so is managing data in a collaborative academic environment in which information must be shared, turnover is steady, and attackers have countless tools and tricks up their sleeves to compromise systems. Attackers will continue to win until UK universities make data protection a priority.”

The global, costly threat to education

Cyberattacks on education institutions is not a problem unique to the UK. Earlier this year hackers from China conducted a large cyberattack campaign against US universities, attempting to steal military R&D data.

Research from cybersecurity firm EfficientIP has also shows how the education sector is a prime target for cyberattacks. In a survey of 900 security experts from nine countries across North America, Europe and Asia, 86% of those working in the education sector said they experienced a Domain Name System (DNS) attack in the past year.

The findings also revealed that education organisations suffered an average of 11 cyberattacks last year. Each cost $670,000 – putting the total cost of cyberattacks on universities from respondees to $7.37m.

David Williamson, CEO of EfficientIP, said: “Hackers are always looking for an easy way in, so it is disappointing the education sector is failing to invest in security despite universities and education facilities being a clear priority for hackers.

“When students and professors trust their institutions with sensitive personal information and intellectual property this paints a big target on universities’ backs and makes them responsible for safeguarding it.”


Read more: NCSC thwarting of airport phishing scam “massively encouraging progress”