Resources

Australia’s higher education landscape comprises of more than 170 institutions, and these institutions encompass universities and other types of higher education providers, and they enjoy international recognition for their commitment to delivering top-tier research and educational excellence to their students. 

Unfortunately, though, the higher education sector in Australia faces significant ongoing threats from cybercriminals and has gained the unenviable distinction of being ranked the fourth most targeted educational sector in the world.  

In the first six months of 2021, this sector experienced a 17% increase in cyberattacks, with July of that year seeing an average of nearly 4,000 attacks per week. These attacks create compounding risk, and this risk is associated with three main cybersecurity factors. 

The Three Main Factors Of Cybersecurity Risk In Australian Higher Education

The Progression Of Digitisation 

Continuing digitisation and an increasing dependence on interconnected devices has become the norm within the higher education sector. The widespread use of devices by both students and faculty members, both on campuses and remotely, expands the chance of a cyber breach, often in areas where institutions have limited control.  

Simultaneously, as the sector witness’s growth in the processing and storage of sensitive data, including academic research, intellectual property, and technological advances, it becomes more susceptible to cybersecurity threats, and becomes increasingly more alluring to malicious threat actors. 

The Use Of Legacy Systems 

Many higher education institutions located within Australia depend on outdated network and technology infrastructure. These legacy systems harbor security vulnerabilities, which is a situation worsened by constrained funding within the sector. The allocation of resources to other areas results in legacy systems continuing to handle vital functions and processing highly valuable data. This perpetuates the associated risks of a cyberattack and provides threat actors with the opportunity to exploit vulnerabilities located within the aging infrastructure. 

An Increase In Connectivity 

Academic research benefits from the exchange of information with fellow higher education institutions and businesses, and collaborative connections between institutions fosters trust. But it also introduces additional risks, and the digitisation of supply chains further expands these potential weak spots by involving numerous vendors and supply partners. Malicious actors often focus their efforts on these external attack surfaces when they are attempting to infiltrate systems and networks. 

Threat Actors Targeting Australian Institutions

Threat actors are capitalising on these cybersecurity factors to undermine the confidentiality, integrity, and critical data within Australian and worldwide education institutions. Some of these threat actors are known, and include: 

Mabna Institute 

Over the past decade, the Mabna Institute is suspected of having directed its cyber activities at up to 29 Australian universities. Their illicit actions have involved the theft of dissertations, eBooks research materials, scholarly journals, and theses, all facilitated through the unauthorised use of stolen credentials. Notably, this entity is believed to have stolen 31 terabytes of data from higher education institutions worldwide between 2013 to 2017. 

Their preferred method of breach involves luring victims to access a counterfeit login page by sending phishing emails while posing as library personnel. These phishing pages often incorporate official alerts and notifications and once the victims have entered their login credentials, they are redirected to a genuine university website, thus creating an appearance of authenticity. Following this, the attackers exploit the compromised accounts to gain access to academic data and perpetuate their campaign by sending additional phishing emails. 

Red Apollo 

Red Apollo is a state-sponsored actor with supposed links to the Chinese government, which poses threats to the education sector of nations aligned with the United States.  

The Red Apollo group has a specific focus on stealing intellectual property from institutions, and their modus operandi includes the sending of malicious emails featuring attachments in the form of zip files containing malware. The group also makes use of counterfeit domains that closely mimic legitimate organisations, and they frequently utilise a malware by the name of ChChes, which includes attacks against Japanese educational institutions. 

Winnti Group 

The Winnti group, again linked to the Chinese government, utilises malware bearing their own name, and in 2019, Winnti Group was discovered to be targeting two institutions in Hong Kong.  

The group’s distinctive backdoor access tool, known as ShadowPad, includes a launcher along with multiple modules, and Winnti employs phishing emails to infiltrate target networks before introducing malware such as Cobalt Strike. After successfully infiltrating the host network, Winnti employs legitimate software to gain additional access while reducing the risk of detection.  

Winnti has also been observed propagating from one network to another, and the group ensures long-term access and threats by leaving behind backdoors, such as ShadowPad, within compromised networks. 

Vice Society 

In 2022, Vice Society emerged as a leading threat to the higher education sector. Vice Society gained notoriety for its practice of withdrawing data from victims’ networks before encrypting it, which creates a double-extortion strategy, and their approach also involves threatening to publicly release stolen material on the dark web, unless the victim complies with a ransom payment. As such, Vice Society sets itself apart from other ransomware groups by not adhering to conventional ransomware methods. 

Cybersecurity Attacks On Australian Educational Institutions 

Cybersecurity attacks on higher education institutions located within Australia are expected to continue and to evolve, and other instances include attacks directed at the ProctorU remote examination platform, and the ANU Enterprise Systems Domain. 

During the COVID-19 pandemic, students across Australian universities were compelled to undertake remote examinations with online monitoring via the ProctorU platform. Unfortunately, this online resource fell victim to a cyberattack, leading to the compromise of personal information of 444,000 ProctorU members. Subsequently, this stolen data found its way online, where it was publicly disclosed. 

And in 2018, a threat actor successfully breached the ANU network, including the ANU Enterprise Systems Domain, which houses systems responsible for enterprise e-forms, financial management, human resources, and student administration. The actor managed to gain unauthorised access, enabling them to copy and exfiltrate an undisclosed volume of data. 

Responding To Cyber Threats Against Higher Education In Australia 

Many educational organisations lack the ability to comprehensively defend themselves in a complex online security environment. As such, partnering with a dedicated industry specialist such as Aryon can serve as a vital tool for institutions as they look to enhance and increase their online cyber defences.  

“Being prepared is being empowered”, and by partnering with Aryon, institutions are adopting a proactive approach to their cybersecurity, as one of our main aims is to proactively anticipate, mitigate, and effectively respond to cyber threats that the organisations that we work with might encounter.  

To find out more about how we can strengthen the security of your institution or organisation please click here.