The Rising Tide of Cyber Threats in the Education Sector: A 2024 Overview
The education sector is increasingly becoming a top target for cybercriminals, with a noticeable rise in cyberattacks aimed at schools and universities throughout 2024. As institutions continue their digital transformation and integrate more technology into classrooms, they expose themselves to new security threats. This year, the education sector has witnessed a surge in ransomware incidents, data breaches, and phishing attacks, exploiting outdated systems and insufficient cybersecurity practices. These cyberattacks disrupt learning environments and risk exposing the sensitive personal data of students and staff.
Cyber Threat Landscape in Education
The education industry has become an increasingly attractive target for cybercriminals in 2024, with a variety of threat actors actively exploiting vulnerabilities in this sector. Microsoft’s Cyber Signals report highlighted the severity of the issue, revealing a rising trend in cyberattacks targeting educational institutions globally. Over the past year, schools faced threats like ransomware and phishing, fueled by the sector’s reliance on outdated infrastructure and lack of robust security measures.
According to the report, attackers focus on exploiting these vulnerabilities to steal sensitive data, disrupt operations, and demand hefty ransoms, further crippling already strained IT budgets. The education sector is becoming a prime target due to the extensive personal information stored in its systems and the high potential for operational disruption.
Top Threat Actors Targeting the Education Industry
This year’s data highlights the prominence of hacktivist groups, particularly from South Asian countries, which have targeted India’s education sector, with most attacks involving data leaks. The strong focus on India stems from two key factors: South Asian groups, particularly those with Islamic leanings, view India as a primary cyber target, and the country’s education sector has notable cybersecurity weaknesses. Given India’s perceived bias in the Israel-Palestine conflict, it is unsurprising that hacktivists from neighboring countries have exploited these vulnerabilities.
When examining data across various industries, it’s clear that the education sector continues to rank high in terms of cyberattack targets. Despite not being the most lucrative sector for financial gain, the sensitive data stored within educational institutions and their comparatively weaker defenses make them particularly appealing to cybercriminals. The combination of valuable personal information and the ease of exploiting outdated systems allows this sector to stand out among dozens, if not hundreds, of other industries.
Ransomware Groups Targeting Education
Beyond hacktivism, ransomware poses another significant threat. LockBit, though diminished in power, has continued to target education-related institutions, seemingly unconcerned with financial gain. Throughout the year, the educational services sector has repeatedly been hit by ransomware attacks, attracting the attention of other groups as well.
In particular, the US education sector has faced severe disruptions due to ransomware this year, with schools being forced to close, sensitive data allegedly leaked, and a range of other issues arising. The following list illustrates the diverse range of cyber attacks and methods that have targeted the education sector this year.
Notable Cyber Incidents in 2024
1. Highline Public Schools Hit by Ransomware Attack
Highline Public Schools, serving over 17,500 students across 34 schools in Washington State, confirmed a ransomware attack in early September that forced a district-wide shutdown. The attack, discovered on September 7, led to the closure of schools and suspension of activities. The district is still working to restore its network, with plans to re-image all staff and student devices beginning October 14.
No details about the ransomware group involved or potential data exposure have been released yet, but as a precaution, staff are offered one year of free credit and identity monitoring. Highline is working with federal and state authorities and has engaged third-party cybersecurity specialists to investigate the breach.
2. Toronto District School Board Confirms Student Data Breach
The Toronto District School Board (TDSB) confirmed in August that student information was compromised in a ransomware attack discovered in June. Initially, TDSB stated that the attack targeted a separate technology testing environment. The board oversees 582 schools and approximately 235,000 students. This week, TDSB revealed that data from some students in the 2023/2024 school year, including names, grades, email addresses, and birth dates, was affected.
Although TDSB assured that the risk to students is low and no data has been publicly disclosed, the LockBit ransomware group claimed responsibility for the attack, demanding a ransom with a 13-day deadline.
3. Alleged Data Leak of Khyber Pakhtunkhwa Finance Department’s Parents Teachers Councils (PTC)
A hacker claims to have leaked sensitive PTC data from the Finance Department of Khyber Pakhtunkhwa. The breach includes EMIS codes, school and monitor details, account information, and financial data, potentially exposing individuals to identity theft and fraud. This alleged leak highlights the persistent vulnerability in the education sector: insider access. Employees and even students can access school systems, often leading to deeper access into sensitive areas.
4. Fog Ransomware Targets US Education via VPN Access
The Fog ransomware group has focused on the US education sector this year, exploiting vulnerabilities in Virtual Private Networks (VPNs). These attacks have disrupted institutions by encrypting vital systems, crippling operations, and restricting access to data. By targeting educational facilities, Fog ransomware has threatened critical administrative functions, demanding significant ransoms that strained the finances of affected organizations.
5. Data Breach at UK, Thousands of Students Affected in Singapore
A significant cyberattack targeted Mobile Guardian, a UK-based Mobile Device Management (MDM) firm, with widespread repercussions in the education sector. Hackers gained unauthorized access to the company’s systems, leading to the remote wiping of devices used by approximately 13,000 students across 26 secondary schools in Singapore. The Ministry of Education (MOE) confirmed that while no evidence of data theft was found, the attack severely disrupted students’ access to essential applications and resources.
6. Unauthorized Access Sales Signals Further Attacks
In a recent incident, an education company in the US was targeted by cybercriminals who advertised unauthorized access for sale on a hacker forum monitored by SOCRadar. This unauthorized access utilizes the VNC protocol and includes details about the company’s network, which comprises over 2,200 devices, more than 10 domains, and various storage and virtualization systems.
7. Not Just Hacktivism: Alleged Database Leak of Ambition Institute of Management & Technology in India
In September 2024, a significant data breach allegedly involving the Ambition Institute of Management & Technology in India was detected on a dark web forum. The leaked database is said to contain personal and academic information of both students and faculty, putting them at risk of identity theft and phishing attempts.
8. A Target for Pro-Russian Threat Actors
The OverFlame group carried out Distributed Denial of Service (DDoS) attacks against Vilniaus Vandenys, a Lithuanian water utility, and Vilniaus Lazdynų Mokykla, a local school. The disruption affected the operations of both institutions, with a potential political or ideological motive behind the choice of targets.
9. UserSec Launches Cyber Attack on Academia.edu
On September 2, 2024, UserSec, a well-known hacktivist group, executed a cyberattack on Academia.edu, a platform that facilitates academic sharing and networking among researchers. The group announced the attack via their Telegram channel, claiming they had accessed a personal office within the site.
10. Cyber Army Targets Ukrainian Medical Exams
On August 20, 2024, the pro-Russian hacktivist group CyberArmy launched a cyberattack on Professional Medical Examinations (PME), a Ukrainian institution that provides certification exams for the healthcare industry.
Conclusion
The expanding use of online learning platforms and digital tools has opened up numerous attack vectors for cybercriminals, who often see schools as vulnerable targets due to limited cybersecurity budgets and a reliance on older IT infrastructures. This evolving threat landscape highlights the urgent need for improved cybersecurity measures across the education sector to safeguard against growing attacks.
Threat actors, often active on the Dark Web and hacker forums, continue to adapt their tactics. This dynamic environment makes it crucial for educational institutions to implement effective cybersecurity strategies. Solutions offered by SOCRadar provide real-time threat detection and prevention, empowering schools and universities to protect their sensitive data and maintain operational resilience. By prioritizing cybersecurity, educational institutions can not only defend against current threats but also build a robust foundation for a safer digital learning environment in the future.
SOCRadar’s Advanced Dark Web Monitoring solution plays a pivotal role in fortifying the cybersecurity posture of educational institutions. By continuously scanning the Dark Web, black markets, and underground forums, SOCRadar helps identify potential threats, such as compromised credentials and leaked sensitive information, before they can be exploited. This proactive approach empowers schools and universities to detect emerging risks early, enabling them to respond swiftly and protect both their data and students’ privacy, ensuring a secure learning environment.