Schools bombarded by nation-state attacks, ransomware gangs, and everyone in between

If we were to draw an infosec Venn diagram, with one circle representing “sensitive info that attackers would want to steal” and the other “limited resources plus difficult-to-secure IT environments,” education would sit in the overlap. 

Schools – including K-12, colleges, and universities – store health and medical records, data belonging to minors, financial information, sensitive research, AI training models and other proprietary IP. At the same time, they are famously understaffed (with the exception of some well-heeled private institutions) and underfunded – especially when it comes to IT and security. 

Their network users include students – some as young as five years old – teachers and professors, doctors and patients, food service workers, janitors, staff, and visitors.

Plus, educational facilities and campuses have to secure IT environments that span both legacy and modern systems, covering everything from payment processing systems to medical equipment as well as personal phones, computers, and gaming consoles.

Every week, the education/research sector faces an average of 2,507 attempted cyber attacks, with everyone from nation-state groups to ransomware gangs and other financially motivated criminals putting schools in their crosshairs. At least according to Microsoft, which, in its Cyber Signals report published today, warned that Iran and North Korea are among the miscreants targeting schools.

As of the second quarter of 2024, education holds the dubious distinction of being the third most targeted industry, based on analyzed security events, Redmond notes. 

“The cyber threats that Microsoft observes across different industries tend to be compounded in education, and threat actors have realized that this sector is inherently vulnerable,” the Microsoft Threat Intelligence team writes, adding that these threats include malware, phishing attacks, data theft, and vulnerable IoT devices, among many others.

When it comes to ransomware in particular, manufacturing still makes up the biggest percentage of Microsoft’s ransomware incident response engagements at 34 percent. But the education sector is targeted as often as retail, telecommunications, transportation, healthcare and IT – all of which experience roughly 11 percent of attacks.

Iran, North Korea hunt for IP, experts and students’ crypto
Among the Iran-backed groups attacking schools, Redmond security analysts spotted Peach Sandstorm – an Islamic Revolutionary Guard Corps (IRGC) backed crew – using password spray attacks to break into education networks and email inboxes, as well as social engineering campaigns targeting higher education institutions. 

Mint Sandstorm is another Iranian government-linked group spotted targeting high-profile Middle Eastern affairs experts at universities.

“These sophisticated phishing attacks used social engineering to compel targets to download malicious files including a new, custom backdoor called MediaPl,” Microsoft notes.

According to Redmond, in 2023 Iran’s Mabna Institute hacked at least 144 US universities’ computing systems, along with another 176 in 21 other countries, and stole professors’ credentials. The credentials were used “for the benefit of” Iran’s Islamic Revolutionary Guard Corps, to access the schools’ library systems and also sold online.

Emerald Sleet and Moonstone Sleet are among the North Korean groups targeting the education sector, we’re told. Emerald focuses on academics and experts in East Asian policy or North and South Korean relations, and uses AI to write its social engineering content. 

Meanwhile, Moonstone creates fake companies to develop relationships with schools. “One of the most prominent attacks from Moonstone Sleet involved creating a fake tank-themed game used to target individuals at educational institutions, with a goal to deploy malware and exfiltrate data,” Redmond notes. 

Another North Korean group that Microsoft tracks as Storm-1877 typically targets students for cryptocurrency theft. These attacks usually start on social media and the crew uses custom malware.

QR code abuse on the rise
One of the ways that criminals are gaining initial access to people and devices in their attacks is by abusing QR codes, which schools and school-adjacent orgs – like parent-teacher associations, campus clubs, sports teams and the like – use on flyers offering information about everything from school fundraisers, financial aid forms, parking passes, band sign-ups, and other events.

“This creates an attractive backdrop for malicious actors to target users who are trying to save time with a quick image scan,” according to Microsoft, which spotted more than 15,000 messages with malicious QR codes targeting the education sector every day over the past year. 

Prime espionage targets
Universities have their own security challenges. These institutions’ leaders effectively act as the “CEOs of healthcare organizations, housing providers, and large financial organizations,” according to Redmond.

They also are engaged with federally funded research programs, and work with defense contractors and technology companies – making them prime targets for espionage.

“They may be conducting breakthrough research. They may be working on high-value projects in aerospace, engineering, nuclear science, or other sensitive topics in partnership with multiple government agencies,” the report notes.

“For cyber attackers, it can be easier to first compromise somebody in the education sector who has ties to the defense sector and then use that access to more convincingly phish a higher value target.”

So, for example, after compromising credentials belonging to a professor or researcher, an attacker could then send an email from a university account to a government official and trick them into disclosing sensitive information. 

Cyber crooks shut down UK, US schools, thousands of kids affected

DOJ, Microsoft seize 107 domains used in Russia’s Star Blizzard phishing attacks

Smart TVs are spying on everyone

Two British-Nigerian men sentenced over multimillion-dollar business email scam

Unfortunately, there’s no easy fix when it comes to education-sector security. It requires a lot of user education for students and staff about best practices, like multifactor authentication (MFA). 

According to Microsoft, accounts are more than 99.9 percent less likely to be compromised if they have MFA turned on. MFA and strong, unique passwords can also help protect against password spray attacks.

Redmond also suggests implementing a free protective domain name service to block computers from connecting to malicious websites, thus reducing the risk of ransomware and other attacks. ®