Check Point Research: Education and Research Institutions Prime Targets

In an ever-growing digitalised world, the education sector has already transformed itself into a digitalisation platform, and elevated its services to students and educators, widely using it across schools, universities, and other relevant organisations. However, as always, with progress comes risks and a variety of threats, and this domain is no exception.

In this report, Check Point Research (CPR) reveals that the education and research sector has been the most targeted domain compared to other industries. Furthermore, our data highlights a significant disparity between the domain and others.

Education Under Attack
So far this year, the Education/Research sector experienced an average of 2,256 weekly cyberattacks per organisation. This reflects a slight decrease of 1% compared to the same period last year. However, despite this small decline, it is remarkable that the Education/Research sector still exhibits the highest rate of cyberattacks among all industries, which is a significant contrast.

Figure 1: Average weekly attacks per org

Why is This Happening?
The data shown here underscores the vulnerability of the education and research sector to cyber criminals. What are the reasons behind this trend? Why does this sector stand out as a preferred target?

One possible explanation is the pervasive digitalisation within the sector and its heavy reliance on online platforms for various purposes such as studying, teaching, and testing. The proliferation of digitalisation provides ample opportunities for attackers to exploit and amplify their attacks. Moreover, educational organisations store extensive amounts of sensitive student information, including personal and financial records, making them enticing targets for malicious actors.

In May it was widely reported that several U.S. Schools, colleges and universities have been impacted by ransomware attacks, causing severe disruption

Overall Attacks per Region
So far in 2023, the APAC region recorded the highest rate of weekly cyberattacks per Education organisation, with a weekly average of 4,529 attacks. Europe experienced the highest change compared to the same period last year, with an 11% increase YoY.

Figure 2: Overall attacks per region

Phishing Example – Golden Gate University Phishing Scam
In July 2023, a phishing email posing as Golden Gate University surfaced (see Figure 3). Pretending to be from “Golden Gate University”, but sent from an unrelated email address (mentor@skillmirrors[.]com), the email carried the subject “Seize Your Educational Opportunities – Explore Our Programs.” and showed information allegedly from an Ed-Tech firm named TalentEdge.

The email aimed to trick recipients into clicking an application link, which led to a website that is currently inactive (https://app[.]leadershipflag[.]com/campaigns) and has been flagged by multiple security vendors as a malicious phishing website. This could have potentially led users to give up their personal details or even perform an online payment on a fraudulent website.

Figure 3: Golden Gate University phishing email example

How to Remain Protected Against Cyberattacks

• Educate and train: First and foremost, educating and training your work force to take security precautions to prevent a breach from occurring.
• Robust Data Backup: A robust, secure data backup solution is an effective way to mitigate the impact of a ransomware attack. If systems are backed up regularly, then the data lost to a ransomware attack should be minimal or non-existent. However, it is important to ensure that the data backup solution cannot be encrypted as well.
• Up-to-Date Patches: Keeping computers up-to-date and applying security patches, especially those labeled as critical, can help to limit an organization’s vulnerability to ransomware attacks as such patches are usually overlooked or delayed too long to offer the required protection.
• Anti-Ransomware Solutions: Anti-ransomware solutions monitor programs running on a computer for suspicious behaviours commonly exhibited by ransomware, and if these behaviours are detected, the program can take action to stop encryption before further damage can be done.
• Utilise better threat prevention: Most ransomware attacks can be detected and resolved before it is too late. You need to have automated threat detection and prevention in place in your organisation to maximise your chances of protection.