Digital Attacks on Educational Resources

It’s fair to say that this year has been an atypical year for the educational threat landscape. With closures in response to COVID and the looming threat of additional waves, schools have been forced to digitally transform in ways we could have never imagined.

Just last year, we were talking about the threats and risks involved with the digitalization of the classroom and smart campuses, only to find ourselves quickly moving towards remote solutions due to new sanitation and social distancing requirements.

While the outbreak has prevented many schools from opening, there have been a fair amount of attacks launched against educational resources during the first half of the year. In general, the spring and summer are normally calm periods for school networks. It’s during the fall when activity begins to pick back up as students return to the classrooms. This is when we see students turn into threat actors, looking to manipulate the registration process, delay tests or target digital learning platforms for a number of reasons.

While logically you would assume at the moment, no students, no problem, you would be mistaken. While students may not physically be on campus, they are already learning new tricks about how to skip digital classes by renaming themselves as “Reconnecting”, or by looping videos. The risk has actually elevated so much that the FBI even released an alert in April warning about threat actors taking advantage of the COVID pandemic by exploiting the use of virtual environments via software, communication and remote access tools. All of which are also incredibly vulnerable to service degradation.

It’s DDoS Time

The fruit is starting to hang low again as everyone scrambles to deal with the new normal. The virtual environment software, communication and remote access tools that we have become very dependent on presents a new and expanded threat landscape that we must address as minor outages, begin to carry larger impacts again.

For example, back in May, Yildiz Teknik University in Turkey suffered from a 30Gbps DDoS attack. This attack was directed at the University’s remote educational platform, resulting in service degradation and disruption for students at the end of the first wave in Turkey.

Source: Twitter

There have also been many examples of attackers launching Denial of Service attacks during the first half of the year against remote education platforms in Russia. Threat actors most recently targeted a website that hosted the results for the Unified State Exam (USE). While there was no impact on the test itself, the result’s website was hit with a 6Gbps DDoS attack. On the day of the attack, students were preparing to take the USE in Social Science and Chemistry, leaving many experts wondering if a student was behind the attack and what their motivation was.

And finally, in the United States, threat actors attempted to distribute the Michigan Bar Exam when they launched a network level DDoS attack on its login portal at 8:55 CST on July 28th. While some have contested these claims, one thing can be said: With new social distancing requirements combined with the work-from-home movement, there are more digital users than ever attempting to access similar resources in a much higher volume than a year before.

[You may also like: Smart DDoS Protection During the COVID-19 Crisis]

It’s Not Just DDoS

Outside of Denial-of-Service, threat actors are taking advantage of the COVID pandemic by exploiting those that are vulnerable and likely to pay hefty ransoms. For example, back in June, the University of California San Francisco, who is a leading school in COVID research, suffered from a ransomware attack from the Netwalker criminal gang.  This group has a history of targeting health care organization and was able to extort $1.14 million from the University, in exchange for decrypting their data.

Source: BBC

The supply chain for the educational system is also at risk. In May, Blackbaud, a U.S.-based firm that provides education administration fundraising and financial management software suffered from a ransomware attack, in which an undisclosed amount was paid. Dozens of colleges in the U.S., UK and Canada were impacted by this attack, leaving many wondering why it took Blackbaud so long to notify victims that data had been stolen.

These attacks should come as no surprise though. Not only did the FBI release an alert in April 2020, but back in February 2019, the FBI also issued a PIN alert about threat actors conducting successful spear phishing campaigns against students at multiple universities. Phishing, a common way ransomware is distributed, can also be used to harvest credentials from unsuspecting victims. In this event, criminals where phishing students for the purpose of gaining unauthorized access to their accounts so the criminals could change banking information and collect financial aid payments. Something to be especially aware of as the new school year gets underway.

Digital Divide Created by COVID

Without a doubt, the digital divide has grown and keeps growing in the wake of COVID. The good news is, there are always those who look to bridge the divide by providing resources to children and schools who cannot afford to purchase their services or devices.

For example, in Harris County Texas, commissioners voted to allocated $32 million from the Coronavirus Aid, Relief, and Economic Security, or CARES Act, to address the digital divide caused by COVID. The money will be used to target low-income students through a partnership with the Texas Education Agency and T-Moblie to provide more than 200,000 devices and 80,000 WiFi hotspots to help students participate in virtual learning in the upcoming semesters.

The only issue I see with this plan is one of logistics, patching and maintenance. While this initiative is one I support full heartedly, there are a lot of issues that can come from this, specifically with the 80,000 WiFi hotspots that will be going to support minors online. These devices will likely miss patches or firmware updates and become more low hanging fruit for bot herders looking to expand their bot count (likely the very bots that will be used by a stresser service to attack education resources).

In the End

As the 2020/2021 school year begins, educational institutions have to consider a new normal due to the risk of a additional COVID waves. At the moment, schools are faced with tough choices when it comes to re-opening. They can opt to host students in class and risk it, or they can cancel school outright. The other options, full remote or hybrid, requires major investments, by both the students and the schools, into network devices and software.

Whatever way you split this pandemic, campuses will be forced to digitally evolve if additional waves come around. We are already seeing this kind of preparation in many industries whose employees are now working from home. On a positive note, many have said it, and I would agree with it: While this is a painful moment for everyone in the world, we will emerge more technologically advanced, digitally secured and socially aware than ever before.

Read Radware’s “2019-2020 Global Application & Network Security Report” to learn more.

Download Now

Daniel Smith

Daniel is the Head of Research for Radware’s Threat Intelligence division. He helps produce actionable intelligence to protect against botnet-related threats by working behind the scenes to identify network and application-based vulnerabilities. Daniel brings over ten years of experience to the Radware Threat Intelligence division. Before joining, Daniel was a member of Radware’s Emergency Response Team (ERT-SOC), where he applied his unique expertise and intimate knowledge of threat actors’ tactics, techniques, and procedures to help develop signatures and mitigate attacks proactively for customers.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program


An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Security Research Center