Hostile state-sponsored hackers are targeting universities where crucial research is urgently being conducted to fight Covid-19. This in turn could compromise the effectiveness of any Covid-19 contact tracing app.
For many years now, it has been recognised that state-sponsored hackers target universities. Universities produce world-leading academic research in sensitive areas such as medicine and defence. The UK National Cyber Security Centre (NCSC) has reported that malicious attacks have originated from North Korea, Iran and Russia. The aims of the malicious actors include undermining the value of research, causing a reduction in investment in affected universities and thereby damaging the UK universities’ standing and integrity.
The attacks, which a spokesperson for NCSC referred to as “utterly reprehensible”, target higher-education and research institutions conducting government-funded scientific, medical and public health research.
As the cyber-attacks become more sophisticated, so does the cost of cybersecurity increase substantially. Universities are forced to invest in further defences against attacks to protect their researchers’ priceless intellectual property and state secrets.
For example in 2018, Secureworks, the cybersecurity company, reported large-scale phishing attempts by an Iranian group called ‘Cobalt Dickens’. In March and August of that year, the group directed attacks towards some UK universities. Their modus operandi involved establishing a fake login page to the library with the intention that an unsuspecting user will enter their credentials, thereby allowing the hacker to gain access to the system. Overall, it was calculated that the group targeted seventy-six universities in fourteen countries. Following this, nine Iranian operatives were indicted in the US in 2018.
This did not deter them as Cobalt Dickins hackers subsequently repeated their assault in September of 2019 using very similar methods. That campaign involved phishing attempts against sixty different universities across the globe.
Since the outbreak of Covid-19 from Wuhan in China in January of this year, many governments have invested heavily in research to manage the spread of the virus. Governments are urgently seeking technological and medical solutions such as contact-tracing apps, vaccines, experimental treatment, tests and antibody tests. Such knowledge would be highly valuable to a rivalry or hostile state. States are aggressively striving to gather the best intelligence, not only to apply it to their own state but to undermine enemy states. Many universities in the UK are capable of creating a vaccine to Covid-19 and those institutions are vulnerable while there is a race among states to possess the best intelligence and research to handle the virus.
The frequency of attacks has accelerated and increased in parallel with the increase in research, with malicious actors seeking valuable research on national healthcare policies, logistics and sensitive health data. For example, according to an investigation by the Guardian, Russia, China and Iran have been attempting to penetrate the ongoing research into a vaccine at Oxford University. Vital research is ongoing in conjunction with AstraZeneca in Cambridge to create a vaccine for which human trials are due to begin shortly.
An advisory was issued jointly by NCSC and US Cybersecurity and Infrastructure Security Agency (CISA) on 5th May 2020 in this regard. It was intended for international healthcare, essential services and medical companies to alert them to the threat of cybersecurity campaigns against them. Campaigns are being carried out by ‘advanced persistent threat’ (APT) groups. APT groups are actively targeting pharmacies, medical research facilities, local government and universities.
These groups are engaged in password spraying campaigns which is a type of brute force attack, whereby the malicious actor tries one password against many accounts until they guess the correct password and penetrate the university’s system. Once the actor is in the system, they will attempt to access other accounts in which the same credentials are used. Once that is accomplished, they may advance their attack by accessing other accounts and data within the network.
Paul Chichester, NCSC Director of Operations, states that the NCSC will cooperate with universities to assist them at this critical juncture. He comments;
By prioritising any requests for support from health organisations and remaining in close contact with industries involved in the coronavirus response, we can inform them of any malicious activity and take the necessary steps to help them defend against it.
Nevertheless, universities must be aware of threats posed against them and invest heavily in their own cyber-security, risk assessments and prevention. The Joint Advisory published advice on how to mitigate these incidents. The following steps can be taken to reduce the risk of the occurrence of such incidents;
- Updating VPNs
- Ensuring network infrastructure devices maintain the latest software patches and configurations
- Using multi-factor authentication
- Protecting the management interfaces of critical operational systems
- Setting up monitoring systems
Institutions ought to maintain their intrusion detection systems and renew their virus protection frequently.
According to NCSC specialist, none of the attacks in the UK has been successful so far. Oxford University has started human trials for the vaccine and they have confirmed that they are working with NCSC on their cybersecurity. Meanwhile, individual academics should change their passwords frequently and be alive to phishing attempts. It is expected that these types of targeted attacks will increase in the coming months while overwhelming demand for a vaccine persists.
Covid-19 Contact Tracing App
In addition to a vaccine, many universities are working on developing a contact tracing app designed to track the spread of the virus through the population and alert individuals who may be at risk of becoming ill. The NHS has developed an app which would require at least 60% of the population to download it in order for it to be effective. This weekend, however, the Observer conducted a poll which suggested that only 50% of people in Britain would download it. Further research needs to be carried out, nevertheless, it may be inferred that high-profile data breaches in the past may have had a chilling effect on people in terms of sharing their data with private companies and governments. Stories about state-sponsored hackers may make people wary of sharing their sensitive health data with researchers. The ICO has stated that contact tracing apps can collect data as long as it is anonymised, however, that might prove difficult if individuals’ precise geolocation data is collected. Thus, even if the hackers have not succeeded in penetrating university networks, they may have achieved their aims of undermining Britain’s efforts against the virus indirectly.
Kazient Privacy Experts offer bespoke Data Protection, Privacy and GDPR compliance solutions in a language you understand to UK and international organisations, and has received positive media coverage across Europe. Kazient’s GDPR consultants are fully certified to be your outsourced Data Protection Officer or EU Representative. Get in touch to find out how we can help your business by visiting our website www.kazient.co.uk or calling us on 0330 022 9009.