Yesterday, the Malwarebytes research team published their findings of the threat actor “Silent Librarian,” a group of Iranian hackers with a history of attacking academic institutions that have come back to life to launch a new series of phishing campaigns. The new attacks were timed to coincide with the start of the new academic years when both students and university staff were expected to be active on university portals. The attacks consisted of emails sent to victims with links to a website posing as the university portal or an associated app, such as the university library. The websites were hosted on sites with lookalike domains, but in reality, collected the victim’s login credentials.
Remote learning is very much like work from home scenarios that organisations have been forced to transition to in recent months. Many classes are being operated via SaaS cloud solutions that students must sign into via SSO. Due to this, third-party cloud management best practices and SSO security considerations are paramount. Infrastructure concerns are a major element in this conversation, as weak infrastructures are ripe for attack.
Schools need to accommodate students with weak or no internet connection as well as those who may not have access to devices through which to carry out remote learning protocols. Schools may consider a limited re-opening to account for these students with valid needs by bringing them on-site in a socially distanced, safe arrangement.
In a best case scenario, schools currently need to focus on short turnaround enhancements. The budget for the upcoming school year has been set. Contracts initiated now likely won’t land in time for the school year to begin. Because of this, schools must make due with their existing staff, equipment, software, and other resources. A strategy to consider given these constraints include building security awareness training and workshops into the curriculum as a first step. Training should be presented not only to students, but also to staff. Additionally, button up the configurations of existing software and communicate those updates so that everyone remains on the same page that security and privacy are being addressed to the extent possible.
One of the common tactics used by nation-state threat actors or cybercriminals for phishing attacks is to use a similar website address of the target. In this case, it was the university’s research systems. Unfortunately, students do not receive security awareness training as part of their education.
Like corporate organisations, educational institutions must provide security awareness training for staff, professors, and students alike to understand how to spot a phishing email, realise what a fake link looks like, and how to report it to the proper department within the school system.
As a college professor, I see this curriculum is missing for all enrolled students and needs to be taught in all departments to avoid future cybersecurity incidents.
We must ensure that the technology provided to students is actually accessible. Many applications require a strong internet connection to access. If a student lives in a rural setting with poor network or satellite connection then learning solutions suffer from VPN requirements or latency—and we must also take into account those with no access to an internet connection or device from which to work.
Spear phishing will likely increase as distance learning becomes more long-term. Attackers and fraudsters will likely target students with extremely realistic emails for credentials and possibly financial information. Schools and universities need to be prepared for this by educating students on the threats.
Schools should consider having an email address in which students can forward suspicious emails and ask whether it’s actually from their institution. While this could lead to thousands of emails received for review, this is part of the burden of taking on distance learning as a business model.
This resurgence in phishing emails around the start of term further shows how well cybercriminals study their targets and plan their campaigns according to the world around them, utilising social engineering techniques that increase their chance of success.
These universities don\’t need reminding that cybersecurity awareness programmes need to run regularly to minimise the risk of these attacks being successful. The data hosted on university servers automatically makes them one of the most appealing targets for advanced persistent threats, aimed at exfiltrating sensitive information and research data, but also for ransomware attacks and other types of disruptive threats.
Email filtering systems in place should be cutting edge, and university security teams should also be equipped with tools that give them the capability to proactively investigate these threats and anticipate attackers\’ next moves. Security worst best when it focuses on prevention, rather than reaction.