Colleges warned as cyber threat from Russia increases

Colleges are being warned to brace themselves for possible cyber-attacks amid a heightened threat from Russia following its invasion of Ukraine.

The Association of Colleges has already informed members about “unusual activity” on its jobs website and provided advice to mitigate possible threats.

There are no known cyber-attacks on individual colleges from Russia in recent weeks as yet, but they have been warned they are particularly vulnerable institutions likely to be targeted following the West’s sanctions against Russia.

Henry Hughes, director of security at education technology experts Jisc, said: “Education and research are likely targets, alongside other sectors, and reporting indicates that the chances of Russian state-sponsored action, including via social engineering, have increased significantly.

“Ensuring that fundamental protections are in place and are functioning correctly is the most important priority. This applies in normal circumstances but is now critical.”

Known Russian groups currently being monitored for attacks include Turla, Wizard Spider, Mummy Spider, TA505, LockBit and REvil.

Leveraging crypto currency monetary platforms has become a focus for Putin and the Russian government

The National Cyber Security Centre, part of GCHQ, said it is not currently aware of any specific cyber threats to UK organisations in relation to the Russian invasion but “strongly encourages organisations to follow our guidance on steps to take when the cyber threat is heightened”.

However, KryptoKloud, a cyber security solutions company with over 100 clients, including 12 colleges, told FE Week it has seen a 212 per cent increase in targeted “spear phishing attacks” in the past 14 days compared with early January and February – with some coming from Russia.

Chief executive Paul Burrows said: “To date, KryptoKloud has seen several new ransomware and malicious behavioural activity for the new HermeticWiper, WhisperGate and SaintBot malware families, while correlations for the Buhtrap activity have also been implemented into our cyber-protection capabilities.

“These new cyber-attacks are particularly nasty and seem to be more destructive in nature than previous attacks.”

He told FE Week that Russia has also significantly ramped up its traditional ransomware as a service operation and since the sanctions placed on the Russian banking sector by the West, leveraging crypto currency monetary platforms has “become a focus for Putin and the Russian government”.

Burrows warned that Russia will continue to look for easy targets – such as the education sector – and all FE providers “should ensure they are resilient to these attacks and ensure that they have the necessary processes and controls in place to ensure they can remail cyber and digital secure”.

Cyber-attacks affecting colleges, which have included doctored emails from principals and hoax terror attacks, have been on the rise in recent years and saw a spike during the pandemic following the switch to online learning.

South and City College Birmingham was forced to shut its eight campuses following a “major” ransomware attack that disabled its core IT systems last year. And Lincoln College was hit by a similar attack in 2020, which KryptoKloud stepped in to help fix, which came from Russia.

In a message to members on Wednesday, the AoC said: “Since the recent Russian invasion of Ukraine, we have seen some unusual activity on AoC Jobs. Although our systems can cope with this so far, we wanted to make you aware of some changes that will affect you using the system and some additional precautions you can take as users of the system. 

“We are also adding an additional level of security [such as blocking unknown IP addresses] and potential mitigating risk access points, to ensure that the recruiter portal of AoC Jobs remains as secure as it can be.”

Jisc has issued the following checklist that it advises colleges to follow:

• Ensure critical assets are patched and up to date, and that appropriate compensating controls are in place where they are not.
• Review account management practices, and ensure that only those who need it have admin rights to services.
• Ensure antivirus protections on both servers and workstations are up to date and are being monitored.
• Review firewall rules and remove/disable any redundant rules that could allow a threat actor access.
• Make sure back-ups and recovery processes are following the backup 3-2-1 methodologies and have been tested.
• Ensure all critical services are being monitored.
• Update the incident response plan and test it, to ensure the organisation is prepared in the event of a security incident.
• Revisit phishing awareness training, as this is a common threat route for most advanced persistent threat groups.