Hacking attacks against higher education institutions are on the rise as other industries battered by cybersecurity threats tighten their defenses and many in education remain unprepared, experts warn.
The ransomware group called Cl0p appeared on the radar for many educational institutions in May after it took credit for a massive cyberattack against hundreds of organizations, including higher ed institutions. The group claims it stole data by breaching MOVEit, a software product used for file transfers, and security experts estimate the information of millions of people may be affected.
“There was always a focus on government entities, then there was COVID, and the health-care industry was slammed with cyberattacks,” said Lorri Janssen-Anessi, director of external cyber assessments at BlueVoyant, a cybersecurity defense platform.
“We used to think the high-value target was the government, but is the highest-value target a school that is connected to not only the government but to their state?” said Janssen-Anessi, who previously focused on cybersecurity at the Defense Department and the National Security Agency. “We do need to have a step back and really think about how we can support, clearly, what has become a vector for other targets.”
The MOVEit attack has highlighted higher education as a target, said Christopher Budd, director of threat research at Sophos, the software and hardware security firm. He likened the attacks to bringing a cake to a picnic.
“If you set the cake down on the blanket, one ant will see it, then another, then there’s a stream of ants going toward it,” he said. “The more potential attackers see higher ed is a viable and fruitful target, the more attacks will occur.”
Inside Higher Ed spoke with cybersecurity experts on the latest MOVEit attack, what to expect in the future and how institutions can stay safe from hackers.
What Is the MOVEit Attack?
Cl0P, a ransomware group reportedly based in Russia, announced in May it had infected MOVEit applications to steal data. MOVEit, owned by Massachusetts-based Progress Software, is widely known for meeting high-level regulatory requirements. Because of that, it is used in many government and academic institutions with sensitive data. The New York City Department of Education and Department of Health and Human Services were among those hit over the last few months.
While many institutions were directly hit due to their use of MOVEit, the attack became broader because third-party vendors—many with higher education ties—used the software. Those affected indirectly include National Student Clearinghouse, teacher retirement fund TIAA and student health insurance provider United Healthcare Student Resources.
The latest higher ed breach, announced June 30, was against the University of California, Los Angeles.
Suddenly their student data or employee data is out there; you wonder what else could be wrong.—Gunner Wagh
My Institution Wasn’t Among Those Attacked. Is There Reason for Concern?
Yes. Even if an organization does not use MOVEit, a vendor of the organization could be using the software service.
“It’s the same ecosystem that you think of for any other supply chain—it’s all connected,” Janssen-Anessi said. “That’s why you see articles with people saying, ‘We don’t even use MOVEit, but we’re affected.’”
She suggested reviewing user accounts made over the last 90 days to verify and authenticate that there is a real person behind them. Institutions should also be looking at file transfers, noting any large volume of files that is moved out of the network.
Why Do the MOVEit Attacks Keep Happening?
The attacks continue happening, to some extent, because users have not applied fixes to known weaknesses in their systems. Typically after attacks, security patches are offered to fix the specific problem. They often come in the form of software and operating system updates. There are also service packs, which are more comprehensive and include a collection of updates and fixes.
While a service pack was released on July 5 to protect against future MOVEit attacks, many institutions have not put it in place, according to Gunner Wagh, director of GVW Cybersecurity Consulting.
“If people won’t continue to patch things, we’ll continue to see the attacks,” he said. “And as long as [the hackers] can make money, the attacks will continue.”
Are More Cyberattacks Expected in Higher Education as a Whole?
Yes. Cybersecurity experts believe there will be more attacks against higher ed institutions and organizations, with MOVEit serving as a green light of sorts after its initial success.
Janssen-Anessi said attacks for both ransomware and data breaches have been increasing across education as a whole over the last few years.
The uptick in attacks, in part, can be attributed to a wide range of vulnerabilities at higher education institutions. For example, a pillar of academia is its openness and its ability to work across departments, which is advantageous for research—but also for hackers.
The more potential attackers see higher ed is a viable and fruitful target, the more attacks will occur.—Christopher Budd
“It’s completely interconnected,” Janssen-Anessi said. “You have huge volumes of devices within an infrastructure that permits anyone not at the university to access and engage.”
Among other vulnerabilities: the wide variety of software applications running across many different systems at higher education institutions; the large number of people on a network and the subsequent lack of control of what is on a network; and, in many cases, a reluctance to impose a level of control on networks at some institutions.
“I would hope people in higher education are aware they have some disadvantages already and hope they’re in a heightened state of alert,” Sophos’s Budd said.
The attacks could be, in part, less about negligence from an institution and more a reflection on the increasing workload that a university’s IT department has to face.
Whether an institution needs to invest more in fleshing out the department or looking toward outsourcing is up to them, according to Wagh of GVW Cybersecurity Consulting.
“There’s no one answer; every company I dealt with was different, based on the size of the network and capabilities of its staff,” he said.
How Do You Prevent Future Attacks?
The advice is simple, according to Wagh: have stronger passwords and use multiple authentication requirements. Institutions should also regularly audit and update software.
“I’ve been giving the same cybersecurity presentation for 20 years, and it’s largely the same,” Wagh said. “And it’s frustrating to me because if people would do that consistently, a lot of attacks would be mitigated.”
If an organization is using a file transfer tool—either MOVEit or another brand—Budd urged users to be cautious: know what tools they are using and make sure the most recent updates are in place.
What Approach Works for Getting More Preventative Measures and Investments in Cybersecurity?
“I think it’s clear it’s coming to a head—it’s, do you want to invest in cybersecurity now, or do you want to invest in the compromise?” Janssen-Anessi said. “We all rely on the institutions, and then don’t put money in to secure them.”
The cybersecurity experts acknowledged higher education, like most sectors, has an easier time making a case to beef up cybersecurity measures after an attack, versus doing it in advance.
“It’s easier to say, ‘We don’t want to be that organization [that was attacked]; we want to do this now,’” Budd said. “In security, one of our challenges is we have to convince people to take preventative action to prevent what, to most people, seems to be a hypothetical threat.”
But for higher education, preventing attacks is more than just ensuring the data—and potentially ransom money—is kept safe.
An important argument is that cybersecurity protects an institution’s credibility. Wagh pointed toward the 2017 ransomware attack against credit bureau Equifax.
“That was devastating and lowered their credibility,” the former FBI agent said. “With a higher education institute, if they’re subject to an attack and suddenly their student data or employee data is out there, you wonder what else could be wrong.”