UK Universities Suffer Most APT Attacks in 2015

FireEye’s just released its latest stats on APT attacks in the first half of the year, with the UK dropping down one place from fourth to prop up to the top five most attacked countries in EMEA.

However, of particular interest was the stat that education was the most targeted sector in the UK followed by energy/utilities and financial services, as I wrote in this Infosecurity piece.

I get the other two, but education? I asked FireEye threat expert Jens Monrad for more detail.

“If we look into the motive, there are three key types of threat actors who want to target education. Advanced Persistent Threat (APT) groups will likely seek to use a university’s network infrastructure as a staging ground from which to launch cyber operations against targets in other industries, on the assumption that their activity will appear less suspicious if it originates from a reputable university network,” he told me.

“These threat actors may also target educational institutions to gain access to sensitive intellectual property, such as from university research centres for the purpose of economic espionage.”

Aside from APT attackers, there’s also a risk to schools and universities from financially-motivated cybercriminals looking to steal sensitive personal and financial information from students, faculty, and staff, he added.

“And hacktivists could deface and disrupt university websites as a method of protest or way to call attention to a certain cause,” Monrad concluded.

Universities conducting research with a “potentially high economic pay-off” or those supporting sensitive government contracts are most at risk from APT groups, he added.

So what kind of malware have these institutions been facing?

Publicly available remote access tool (RAT), LV /NjRat, for one. This little nasty is capable of keystroke logging, credential harvesting, reverse shell access, file uploads and downloads, and file and registry modifications, Monrad explained.

“This RAT also offers threat actors a ‘builder’ feature, allowing them to create new variants based on configurations of command and control servers, specified filenames, options to spread via USB, designated campaign names for internal tracking, and other customisation options,” he added.

“Additionally, this RAT gathers and sends important information about infected machines to its command and control server, possibly using a custom protocol over port 80, to include NetBIOS name, user, date, locale, and Windows OS name.”

FireEye has seen cases where individual students were targeted, with the attacker taking screen captures when they opened specific documents.

Educational institutions have also been targeted with StickyFingers, aka QUICKBALL. This is a DLL backdoor favoured by Chinese APT attackers to gain reverse shell access to targeted systems.

With the caveat that this is only information gleaned from one security vendor’s customers, there still seems to be plenty for infosecurity bosses at the UK’s universities and colleges to mull over.