Are staff and students behind cyber attacks?

New research from Jisc raises suspicions that staff or students could be in the frame

Data collected by the UK’s education technology not-for-profit, Jisc, about attacks on the national research and education network, Janet,raises suspicions that university students or staff could be responsible. Head of Jisc’s security operations centre, Dr John Chapman, explains

It’s notoriously difficult to identify individual cyber criminals, but data Jisc has collected over the past few years has built up a picture of who may be launching attacks on the UK’s colleges and universities based on when they do it. When the data is collated into graphs, clear patterns emerge.

Who and when?
This graph, below, shows the number of DDoS attacks (designed to slow down or disrupt our members’ networks) that have been seen on Janet over the past year. It also shows the peaks and troughs within the year. The troughs, when the number of attacks decreases dramatically, always appear during holiday times.

ABOVE: Black bars indicate holiday times – summer 2017; Christmas; Easter; May half term; summer 2018

This pattern could indicate that attackers are students or staff, or others familiar with the academic cycle. Or perhaps the bad guys simply take holidays at the same time as the education sector. Whichever the case, there’s no point sending a DDoS attack to an organisation if there’s no-one there to suffer the consequences.

Another interesting finding is that the usual dip in attacks during summer 2018 started earlier than the same time last year. The heat wave weather this year couldhave been a factor, but it’s more likely due to international law enforcement activity – Operation Power Off took down a ‘stresser’ website at the end of April.

Stresser sites basically sell DDoS packages to customers who want to attack internet services under the pretence of “testing” them to see how well they would cope with a DDoS attack. Operation Power Off also targeted owners and customers of the stresser service, leading to other similar illicit businesses going offline as well.

This resulting dearth of attacks for hire, alongside the deterrent effect of the police operation, could explain the reduction in attacks we have seen on Janet since April.

In the graph below, the distribution of attacks over the day shows that it’s quieter at night, while the number of attacks start to ramp up at 8am, peak between 9am and early afternoon, and then die off again.

Interestingly, when comparing the time distribution for the first eight months of 2018 to January to August 2017, there have been slightly fewer attacks starting in the early hours, but more in the core of the day and also the peak continues for longer. Last year the number of attacks started to wane from 1pm, this year it is 2pm.

Part of our role is to monitor the network and we noticed several attacks at a college earlier this year, which started at 9am and finished at 12pm, began again at 1pm and finished at around 3-4pm. This suggested that the perpetrator was someone who wanted to get online at lunchtime, but didn’t want to do any work during the day. Could a member of staff get away with that, or was a student to blame?

Why?
We can only speculate on the reasons why students or staff attack their college or university: for the “fun” of disruption and kudos among peers of launching an attack that stops internet access and causes chaos; or because they bear a grudge for a poor grade or failure to secure a pay rise.

Occasionally, we can pinpoint the exact reason for an attack. A while back we noticed a DDoS attack against a university, so we activated the mitigation service, which reduces the impact of an attack. A couple of hours later the same institution was targeted again.

The attacks went on for four days and most were occurring at night, so we worked with the university to identify the target, which turned out to be the halls of residence, which raised further questions. We looked at what else was happening on the network at the same time as the attacks and we found a lot of traffic going to online gaming websites.

Further investigation showed that a student in halls had been playing an online game and had attacked another gamer to try and secure an advantage. What we were seeing coming over the network and into the hall of residence was a revenge DDoS attack.

One student convicted for offences connected to the 2015 TalkTalk incident stated he was “just showing off to my mates”. That student had also targeted the University of Manchester and Cambridge University Library.

Adam Mudd was also prosecuted for cyber attacks against his college. Mudd admitted to attacking West Herts College, where he was a computer science student. This attack also affected 70 other institutions in the region, including the universities of East Anglia, Essex and Cambridge. Mudd’s explanation for one of his attacks is that the college had not acted when he had reported that he had been mugged.

Punishment
If a student is caught engaging in illegal online activity like this, it would be up to the college or university to discipline that student. If they want to try and prosecute, they can ask us to help provide evidence, but this doesn’t happen often.

Most of the time when cyber attackers are caught and convicted it’s because they make mistakes. For example, a former student from Stockport who was in court last year for attacking the Janet Network, the National Crime Agency and several multi-national businesses was identified because he failed to cover his tracks.

We operate a zero-tolerance policy to attackers and gave evidence to the police which helped trace and convict this young man. In his case, the motivation was money: Jack Chappell was working with a criminal gang.

Get serious
So, there is evidence, both circumstantial and from the justice system, to suggest that students and staff may well be responsible for many of the DDoS attacks we see on the Janet Network. Jisc’s security operations centre is there to help mitigate attacks on our members, but colleges and universities are responsible for their own cyber space and should not under-estimate the potentially huge financial and reputational impact of a network outage.

Unfortunately, there are far more serious criminal players at work that organisations ignore at their peril. It’s likely that some of these more sophisticated attacks are designed to steal intellectual property, targeting sensitive and valuable information held at universities and research centres.

The blame could lie with criminals intent on selling information to the highest bidder, a business wanting to uncover a competitor’s secrets, or a foreign power trying to gain political leverage. Security agencies, including the National Cyber Security Centre and the FBI, have already warned of state-sponsored attacks by countries including Russia, and the education sector is just as much at risk as any other in the UK.

However, despite these very real and serious threats, our 2018 security posture surveyamong members showed such cyber attacks were not considered a priority by our members, and they should be.

When it comes to cyber security, complacency is dangerous. We do everything we can to help keep our members’ safe, but there’s no such thing as a 100% secure network.