Cyber security alert issued by NCSC following rise in attacks on UK academia

The NCSC dealt with several ransomware attacks against education establishments in August, which caused varying levels of disruption, depending on the level of security establishments had in place. Such attacks typically involve the encryption of an organisation’s data by cyber criminals, who then demand money in exchange for its recovery.

With institutions either welcoming pupils and students back for a new term or otherwise preparing to do so, the NCSC’s alert urges them to take immediate steps such as ensuring that data is backed up and also stored on copies offline.

Academic institutions are also urged to read the NCSC’s newly-updated guidance on mitigating malware and ransomware attacks and to develop an incident response plan which is then regularly tested.

Paul Chichester, director of operations at the NCSC, said: “This criminal targeting of the education sector, particularly at such a challenging time, is utterly reprehensible. While these have been isolated incidents, I would strongly urge all academic institutions to take heed of our alert and put in place the steps we suggest to help ensure young people are able to return to education undisrupted. We’re absolutely committed to ensuring UK academia is as safe as possible from cyber threats, and we will not hesitate to act when that threat evolves.”

The new alert, Targeted Ransomware Attacks on the UK Education Sector by Cyber Criminals, supplements existing support that the NCSC, which is a part of GCHQ, provides for academic institutions across the UK. Examples of this include advice on the questions governing bodies and trustees should ask school leaders to improve a school’s understanding of cyber security risks, and the distribution of information cards which help staff understand how they can raise resilience to attack.

Response from academia

David Corke, director of education and skills policy at the Association of Colleges, said: “As the last six months have shown us, it has never been more important for colleges to have the right digital infrastructure in order to be able to protect their systems and keep learning happening, whatever the circumstance. This demands a ‘whole college’-style approach and for a focus wider than just systems. It needs to include supporting leaders, teachers and students to recognise threats, mitigate against them and act decisively when something goes wrong. This guidance from the NCSC will prove incredibly useful for colleges to ensure that they can do just that.”

Steve Kennett, executive director of e-infrastructure at the higher education support body Jisc, explained: “Jisc welcomes the NCSC’s support in dealing with the current spate of ransomware impacting the UK’s education and research community. We encourage everyone to review the latest guidance from the NCSC and take the time to assess the risks posed to their organisation.”

Institutions that have been infected with ransomware have seen their ability to operate effectively and deliver services significantly obstructed and, depending on an organisation’s level of resilience, it can take weeks – and, in some cases, months - for services to return to normal.

Often, the aim of cyber criminals deploying ransomware is to encrypt data that will have the most impact on an organisation’s services. This can affect access to computer networks as well as services including telephone systems and websites.

Ransomware and malware guidance

The NCSC has recently updated its ransomware and malware guidance, which is generally applicable to organisations in all industries in the UK. Additions to this include updated information on attackers’ modus operandi and advice on preparing for an incident.

Ransomware is a type of malware that prevents an individual from accessing their computer (or the data stored on it). The computer itself may become locked, or the data on it might be stolen, deleted or in some way encrypted.

Test exercising is one of the most effective ways in which an organisation can test how it responds to cyber incidents and identify areas for improvement. Exercise in a Box is a free online tool from the NCSC which helps organisations test and practise their response to a cyber attack, including ransomware attacks.

Attacks on universities

One third of UK universities have been subjected to ransomware attacks according to Freedom of Information requests submitted to 134 universities in July.

Of the 105 universities that responded, 35 admitted to being attacked (33%), 25 said they hadn’t been (24%) and 43 universities refused to answer (45%). The full list of results can be accessed here.

Refusals typically centred around the universities’ concerns that an admission of an attack would encourage further misdemeanours (typically citing Section 31.1.a of the Freedom of Information Act – ‘the prevention or detection of crime’: http://www.legislation.gov.uk/ukpga/2000/36/section/31). They stated that no inference as to whether they would be attacked or not should be drawn from the refusal that the information requested does or does not exist.

Certain universities, including the University of Oxford, felt that their profiles made them more likely to be attacked. The University of Oxford noted: “…Launching a successful attack would then be regarded in criminal circles as a noteworthy achievement, particularly in view of Oxford’s high public profile.”

Of all the 35 universities that admitted they were attacked, 34 confirmed they did not pay ransoms. The remaining university, namely Liverpool John Moores University, refused to revealed whether it had paid a ransom or not.

The majority of incidents happened in 2015 (31% of incidents), 2016 (34%) and 2017 (23%).

With most universities reporting isolated incidents, Sheffield Hallam University and City, University of London stood out, reporting 42 attacks since 2013 and seven attacks since 2014 respectively.

Luke Budka, head of digital PR and SEO at TopLine Comms (the agency that submitted the requests) said: “The recent revelation that hackers extorted $1.14 million from the University of California prompted us to submit Freedom of Information requests to UK universities asking for details on ransomware attacks and ransom amounts paid. We were naturally most interested in Russell Group universities as their research focus suggests they harbour the most valuable Intellectual Property. Of the 18 Russell Group universities that responded, all but three refused to answer the questions submitted. The University of Manchester admitted it had been attacked, but said it didn’t record when. The University of Sheffield was attacked in 2015, while The University of Edinburgh stated it had not been attacked in the last ten years.”