Sustained attacks on Australian education reflect data’s continued vulnerability

Australia’s besieged educational sector is being subjected to “an organised and determined criminal threat,” security experts have warned as a new analysis of quarterly attack patterns highlighted the use of “a multitude of techniques”.

In July, a two-day campaign against education-industry targets saw the detection of 3159 emails using ZIP email attachments to download the Krypt Trojan, email security firm Mimecast noted in its November Threat Intelligence Report, while a subsequent five-day campaign saw 5901 detected emails trying to infect targets with the Locky ransomware.

By the time threat volumes peaked in mid September – Mimecast detected 1.136m combined threats on 18 September alone – a threat actor “highly likely” to be the same as the earlier campaigns began peppering educational and university targets with MS Office documents that attempted to use macros to execute a range of malware.

The attacks stood out from a high level of background noise in which legal, banking and insurance targets were also attacked with sporadic campaigns that targeted potential victims with emails bearing attachments laced with Andromeda, Noon, and Razy malware as well as the Cryxos remote access Trojan.

Successful compromises of Australian Catholic University and the Australian National University may have been headline breaches during the middle of this year, but the ongoing campaigns against education targets are “almost certain” to be interrelated and state-sponsored, the firm said in its analysis.

“Australia is almost certain to continue to suffer sustained and determined cyberattack campaigns, particularly against transportation and infrastructure,” Mimecast said, noting that “relative to its size” the country “has suffered sustained attacks and targeting of its education sector…. Targeting is likely to be intended to impact or steal research and intellectual property, but also may be intended to monitor student activities or behaviour.”

The figures corroborate a recent analysis by Malwarebytes Labs, which found that Australian universities are the world’s most frequently targeted by cybercriminals.

ZIP and RAR compressed archives, as well as ISO images and RTF documents, were the most frequently observed file types for malicious attachments – together comprising nearly 6m email detections through Mimecast’s platform during the quarter.

Compressed files “allow the inclusion of a more complex and potentially multi-malware payload,” the analysis notes, “but also serve as a very basic means to hide the true file name of any items held within the container.”

The constant stream of email-based attacks is taking its toll on victims, with recent figures from Risk Based Security’s Data Breach QuickView Report suggesting that the number of reported data breaches doubled since last year – with 7.9 billion records exposed in breaches during the first nine months of this year alone.

Centralisation of large volumes of data was compounding the problem, with just six breaches leading to the exposure of some 3.1 billion data records.

The figures suggest that “data theft has reached epidemic proportions,” ProPrivacy data privacy expert Ray Walsh said on the back of that data.

“This is especially concerning given the recent industry-wide push for improved data protection standards and cybersecurity investment,” he said. “Hackers are targeting sectors that provide the most potential returns for those efforts.

“Despite the recent drive in investment and growing awareness of the risks, there is still a lot of improvement because the vast majority of successful penetrations occurred due to misconfigured databases, backups, endpoints and services. Getting things right stands to massively improve security and shows that firms are still leaving the doors open to attacks.”