Who Would Attack A College?

In the time I’ve been at FIT, one of the questions I get asked most frequently is “Who would hack a college?”.  As it turns out there are lots of reasons that someone would launch a cyber attack against colleges and universities:

  • Political motives:  Someone might want to make a political statement against the Fashion Industry or the State of New York, to name a few.
  • Revenge:  Students or employees who feel that they were mistreated by the college in some way could take retribution.
  • Money: Stolen information, especially student identities is valuable on the black market.  In addition, in 2016 ransomware payments worldwide topped $1 Billion, and the numbers keep growing.  As we’ll see later in this note, research and intellectual property are also worth millions of dollars or more.
  • Attacking a third party: Often attackers hack one party to use as a launch point to attack another.  Target Inc.  was attacked through one of their vendors, and the Democratic National Committee was hacked using email accounts stolen from a university.

A key point to remember is that there is a very well-established marketplace of hackers for hire, so the people who want to attack us can easily find and pay people to help them do it.

The Mabna Institute Attack

In short, we are very much a target.  This was highlighted a few months ago when the FBI indicted nine individuals who worked for Iran’s Revolutionary Guard but were using Iran’s Mabna Institute, a governmental think tank, as cover.  The individuals were specifically targeting colleges and universities worldwide, typically through social engineering tactics such as phishing.  Here are some statistics:

  • Over 320 colleges attacked, plus the United Nations. (FIT was not targeted in this attack)
  • Over 100,000 faculty members targeted
  • Almost 8,000 faculty members were tricked into revealing their login credentials
  • 31.5 Terabytes of information were stolen, valued at $3.4 Billion

The attackers accomplished this by doing some research on their targets, sending emails specifically referencing the target’s academic work.  Here’s an example that was shared with me by the FBI:

Note that the URL (just after the black box) points to a .edut domain, not .edu.  That .edut link points to a server that mimics the login page of the victim’s research system but actually steals their login credentials, allowing the attacker to come back later, login as the target, and steal their research. 

What can you do?

There are several steps you can take to avoid being a victim.  First, be cautious and trust your instincts.  If something feels suspicious it probably is.  Visit the phishing section of our Cybersafe web page to learn all about how to recognize phishing, and if you’re a staff or faculty member, take our online cyber awareness training course.  Your information is your own: do what you can to protect it.

About Cybersafe

The Division of Information Technology is dedicated to informing the community of the latest cybersecurity threats. Visit fitnyc.edu/cybersafe and stay tuned for emails from [email protected] for the latest from the Cybersafe campaign at FIT.

-Walter Kerner

Assistant Vice-President and Chief Information Security Officer