DHS Intelligence Assessment: Malicious Cyber Actors Target US Universities and Colleges

DHS-UniversityCyberThreats

Malicious Cyber Actors Target US Universities and Colleges

  • 5 pages
  • For Official Use Only
  • January 16, 2015

Download

(U//FOUO) We assess that the primary cyber threat to US university and college networks is cybercrime and unwitting hosting of malicious activity, likely because the regular turnover of student network users and requirements for accessibility to the networks make the networks difficult to monitor and secure.

(U//FOUO) We assess malicious cyber actors targeting intellectual property and research are the emerging cyber threat facing university and college networks. Cutting-edge research and sensitive US government and cleared defense contractor projects are appealing targets for cyber actors looking to gain access to sensitive research programs and information.

(U//FOUO) University Networks Face Common Cyber Threats

(U//FOUO) Malicious cyber actors have targeted US universities and colleges with typical cybercrime activities, such as spear phishing students and faculty with university-themed messages, creating fake university websites, and infecting computers with malicious software, likely in an attempt to gain access to student and faculty e-mail and bank accounts. We have no indication that cybercriminals target university systems and users more than any other cybercrime victims.

» (U//FOUO) According to sensitive DHS reporting, several different types of malware designed to gather personally identifiable information (PII) and exploit computer systems for financial gain—ransomware, clickfraud malware, and  credential-harvesting malware—were found on computer systems of an identified US university in late August 2014. We do not know if PII was compromised or exfiltrated as a result of these infections.

» (U//FOUO) In February 2014, unknown cyber actors targeted departments at an identified US university with phishing messages containing malicious links, according to FBI reporting. Computers of recipients that responded were infected with ransomware requiring victims to pay between $50 and $500 to decrypt their computers, according to FBI reporting.

» (U//FOUO) In early 2014, malicious cyber actors successfully executed an e-mail phishing attack against 166 employees at an identified US university. The phishing message was embedded with a malicious link to a fraudulent university website that, when accessed, prompted employees to provide PII associated with their financial accounts. The actors successfully compromised the financial accounts of two employees, changing their direct deposit information so that money was delivered to an unspecified US bank, resulting in financial losses for the employees, according to an FBI contact with excellent access.

(U//FOUO) US universities and colleges have extensive computer networks and infrastructure making them ideal targets for unwitting hosting of malicious cyber operations, including denial-of-service (DoS) attacks and undetected storage of malware. As with cybercrime, we have no indication that malicious cyber actors target university and college networks for these activities any more than other networks.

» (U//FOUO) In early 2014, an unidentified cyber actor leveraged a supercomputer at an identified US university to initiate a DoS attack against the servers of several identified US businesses that host servers for gaming activities, according to an FBI source with indirect access. The attack used about 98 percent of the university’s bandwidth.

» (U//FOUO) Unidentified cyber actors used a named US university’s web server as a file repository for distributing malicious tools, according to sensitive DHS reporting. Analysis of the web server confirmed that a number of malicious tools had been uploaded to the system, as of mid-2014.

(U//FOUO) University Networks May Be Target for Cyberespionage

(U//FOUO) While malicious cyber actors looking to exploit university and college networks for PII remain a consistent threat, we assess that the emerging cyber threat facing US university and college networks is cyberespionage actors seeking information and intellectual property. In addition to in-house, cutting-edge research, numerous US universities and colleges are involved in sensitive US government and cleared defense contractor research projects. These associations are very appealing to cyberespionage actors looking to gain access to sensitive research programs to exfiltrate information. University networks, which often have multiple levels of connectivity and accessibility to fuel collaboration, may present an easier target for cyberespionage actors than sensitive government or private industry networks. We have only a few examples of data exfiltration from university networks, but those we have lead us to judge that this activity does target research information and intellectual property.

» (U) According to reporting from a US cybersecurity firm, likely Iranian cyber actors, as part of a global espionage campaign, targeted universities in the United States, India, Israel, and South Korea from 2012 to late 2014. The cyber actors targeted research efforts, student information, student housing, and financial aid systems. According to the security firm, the cyber actors reportedly harvested confidential critical infrastructure documents from major educational institutions around the world.

» (U) A late-2013 review of the infrastructure associated with a probable foreign cyberespionage campaign indicated broad targeting of university computer systems, including those in the United States, the United Kingdom, and Israel, according to DHS reporting. The unknown actors successfully exfiltrated sensitive research information associated with university-affiliated medical organizations, including passwords and passport images.