The onset of near-universal remote learning made necessary by the COVID-19 pandemic left colleges and universities more vulnerable to ransomware, botnets and other cyberattacks, according to research published Tuesday by the cybersecurity provider BlueVoyant. And the combination of weak campus security policies and breaches of edtech vendors leaves schools open to continued risks, the company found.
Between 2019 and 2020, ransomware attacks against colleges doubled, the research said. They also became more financially costly, as the “big game hunting” tactics used by malicious actors that’ve targeted large corporations, major cities and state governments have moved into the education sector. According to BlueVoyant’s research, the average cost of a ransomware attack against universities reached $447,000 last year.
Several ransomware attacks against universities last year led schools to pay their attackers’ skyrocketing demands, including the University of California, San Francisco, which paid $1 million after it was breached last June, and the University of Utah, which forked over $457,000 in August.
Much of this increased activity has been made possible by millions of student and faculty credentials being available through previous data breaches, including several that affected digital learning companies like Blackbaud, the cloud services provider that acknowledged last year that hackers gained access to Social Security numbers and banking information held by its customers in higher education. Other vendors, including ProctorU, Chegg and OneClass have also been breached in the past three years, according to BlueVoyant.
The Chegg breach, in 2018, resulted in the digital textbook rental service losing more than 5 million email addresses ending with in .edu. That incident paid off late last year at Boston University, where about 1,000 student email addresses had to be disabled after being inundated with spam coming from other legitimate university accounts that had been compromised. That temporary shutdown also cut off those students’ access to the BU student portal, campus Wi-Fi and online learning systems. BlueVoyant said it found 11,442 accounts ending in bu.edu in the Chegg breach.
The report found that hackers’ access to university networks can be assisted by a profligacy of weak passwords. BlueVoyant showed that among accounts caught up in the Chegg breach, thousands relied on passwords that contained familiar college-campus terms, including “library,” “student,” “party,” “gym” and “beer.” And more than 65,000 passwords were structured around the word “password.”
Exposed and easily guessed passwords leave networks vulnerable to phishing attacks. And at least one-fifth of universities examined by BlueVoyant had unsecured ports on Microsoft’s Remote Desktop Protocol, the second-most popular vector for ransomware attacks.
Universities also face cyberthreats on other fronts, BlueVoyant found. Along with criminal activity, nation-state actors, including advanced persistent threat groups based in China, Iran and Russia increased their efforts against U.S. higher education in the past year, especially institutions that have been researching COVID-19. Last July, U.S., U.K. and Canadian intelligence officials warned that the Russian hacking group APT29 — also known as Cozy Bear — was targeting organizations developing vaccines. And in October, the antivirus software company Malwarebytes found that an Iranian APT had been snooping on universities around the world.
The BlueVoyant report concludes by making many familiar recommendations to reduce the risk of cyberattacks, including stronger password regulations and mandatory multi-factor authentication. Yet it also warns that universities’ cybersecurity postures may be weakened as the ongoing pandemic continues eating into their budgets with declines in attendance, on-campus housing and international student enrollment.
A majority of colleges surveyed last May by Educause said they expected to cut IT budgets by between 5% and 30% due to the health crisis — and that may yet be just the beginning.
“Recent events, including the demands for rebates and refunds by students, indicate that things could get worse,” BlueVoyant found.