Hackers target UK universities accredited by NCSC

Iranian criminals tried to phish 18 universities, half of them offering NCSC-approved cybersecurity courses

A group of Iranian cybercriminals has attempted to hack into the systems of 18 or more UK universities this year, in a campaign lasting several months and successfully penetrating the defences of at least one target.

Half of the universities that the group focused on offer degrees in cybersecurity, approved by the National Cyber Security Centre (NCSC), although it is unclear if that was a factor in the decision to target them.

A spokesperson for the NCSC said: "Universities are a popular target for cyber actors seeking access to intellectual property, such as cutting-edge research. The NCSC supports the academic sector to help them to improve their security practices. This has included our Active Cyber Defence programme, which took down 23 attempts to spoof one university's website. We urge universities to follow the best practice cybersecurity advice on the NCSC website."

The hackers attempted to phish people with university log-ins in an attempt to learn their passwords. To make the emails look genuine, the group created several fake websites with an appearance similar to the original.

According to the creation dates of these sites, the hackers have been active since at least May, when they set up a site for Lancaster University - apparently the only target where the hack was partially successful. The university says that ‘a small number' of recipients fell for the attack, but it reset their passwords and is investigating whether any information was stolen.

Security researchers believe that the attacks may be linked to a campaign earlier this year, in which criminals stole research from multiple universities and published it on websites in Iran. Since then, the researchers have been tracking the creation of new fake websites that have apparently been set up by the same group.

As well as appearing visually similar to the genuine sites, the fake pages used the web's ‘green padlock' system to further reassure victims that they were safe to use. However, this symbol only confirms that traffic to and from the site is encrypted; not that the site itself is safe.

US company Let's Encrypt, which granted the domain validation certificates to the hackers, told Forbes:

‘Browsers are misleading people about site safety when they display lock icons. Some people incorrectly interpret lock icons as a sign that a site's content is safe or trustworthy, and that's a completely separate issue from whether or not the connection is secure. We would like to see browsers stop displaying lock icons on the basis of the existence of a secure connection.'