Attacks on the education sector are surging: How can cyber-defenders respond?

Posted on by

Academic institutions have a unique set of characteristics that makes them attractive to bad actors. What’s the right antidote to cyber-risk?

Phil Muncaster

14 Apr 2025
 • 
,
5 min. read

Attacks on the education sector are surging: How can cyber-defenders respond?

We all want the best possible education for our children. But even the best-laid plans can come unstuck when confronted with an agile, persistent and devious adversary. Nation state-aligned actors and cybercriminals represent one of the biggest threats to schools, colleges and universities today. The education sector was the third–most targeted in Q2 2024, according to Microsoft.

And ESET threat researchers have observed sophisticated APT groups targeting institutions across the globe. In the period from April to September 2024, the education sector was in the top three most attacked industries by China-aligned APT groups, the top two for North Korea, and in the top six both for Iran- and Russia-aligned actors.

Academic institutions have a unique set of characteristics that makes them attractive to bad actors. But fortunately, universal best practice security steps remain an effective antidote to cyber-risk.

Why do hackers go after schools and colleges?

In the UK, 71% of secondary (senior high) schools and nearly all (97%) of universities identified a serious security breach or attack over the past year, versus just half (50%) of businesses, according to government figures. In the US, the most recent figures available from the K12 Security Information Exchange (SIX) reveal that, between 2016 and 2022, the nation experienced more than one cyber-incident per school day.

So why are education institutions such a popular target?

It’s a combination of porous networks, large user numbers, highly monetizable data, and limited security know-how and budgets. Let’s consider these in more detail:

  • Limited budget and know how: The education sector simply can’t compete with deep-pocketed private enterprises when it comes to limited cybersecurity talent. And the same budgetary pressure means institutions usually don’t have much to spend on security tooling. This can create dangerous gaps in coverage and capability. However, such monetary concerns make it even more important to mitigate cyber-risk. One report claims ransomware attacks on US schools and colleges since 2018 have cost them $2.5bn in downtime alone.
  • Personal devices: According to Microsoft, BYOD is commonplace in US schools, while at university, students everywhere will be expected to provide their own laptops and mobile devices. If they’re allowed to log-on to school networks without adequate security checks, these devices could unwittingly provide threat actors with a pathway to sensitive data and systems.
  • Fallible users: Humans remain one of the biggest challenges for security staff. And the sheer number of staff and students in education environments makes them a popular target for phishing. Awareness training is essential. But in the UK, for example, only 5% of universities make it compulsory for students.
  • A culture of openness: Schools, colleges and universities are not like typical businesses. A culture of information sharing, and openness to external collaboration, can invite risk and provide opportunities for threat actors to leverage. Tighter controls, especially on email communications, would be preferred. But that’s difficult when there are so many connected third parties – from alumni and donors, to charities and suppliers.
  • A broad attack surface: The education supply chain is just one facet of a growing cyberattack surface that has expanded in recent years with the advent of virtual learning and remote work. From cloud servers to personal mobile devices, home networks and large, fluid numbers of staff and students, there are plenty of targets for threat actors to aim at. It doesn’t help that many education institutions are running legacy software and hardware that may be unpatched and unsupported.
  • PII and IP: Schools and universities store, manage and process large volumes of personally identifiable information (PII) on staff and students, including health and financial data. That makes them an attractive target for financially-motivated ransomware actors and fraudsters. But there’s more. The sensitive research handled by many universities also singles them out for nation state attention. The director general of MI5 warned the heads of the UK’s leading universities about exactly this back in April 2024.

The threat is real

These are not theoretical threats. K12 SIX has cataloged 1,331 publicly disclosed school cyber-incidents affecting US school districts since 2016. And EU security agency ENISA documented over 300 incidents impacting the sector between July 2023 and June 2024. Many more will go unreported. Universities are continually being breached by ransomware actors, sometimes to devastating effect.

Typical threat actor TTPs facing the education sector

As for the tactics, techniques, and procedures (TTPs) used to target education sector institutions, it depends on the end goal and threat actor. State-backed attacks are often sophisticated, such as those from Iran-aligned group Ballistic Bobcat (aka APT35, Mint Sandstorm). In one example, ESET observed the actor attempting to circumvent security software including EDR, by injecting malicious code into innocuous processes and using multiple modules to evade detection.

In the UK, ransomware is viewed by universities as the number one cyberthreat to the sector, followed by social engineering/phishing and unpatched vulnerabilities. And in the US, a Department of Homeland Security report claims that: “K‑12 school districts have been a near constant ransomware target due to school systems’ IT budget constraints and lack of dedicated resources, as well as ransomware actors’ success at extracting payment from some schools that are required to function within certain dates and hours.”

The growing size of the attack surface, including personal devices, legacy technology, large numbers of users and open networks, makes the job of the threat actor that much easier. Microsoft has even warned of a spike in QR code-based efforts. These are designed to support phishing and malware campaigns via malicious codes on emails, flyers, parking passes, financial aid forms, and other official communications.

How can schools and colleges mitigate cyber-risk?

There may be a unique set of reasons why threat actors target schools, colleges and universities. But broadly speaking, the techniques they’re using to do so are tried and tested. That means the usual security rules apply. Focus on people, process and technology with some of the following tips:

  • Enforce strong, unique passwords and multi-factor authentication (MFA) to protect accounts
  • Practice good cyber-hygiene with prompt patching, frequent backups and data encryption
  • Develop and test a robust incident response plan to minimize the impact of a breach
  • Educate staff, students and administrators in best practice security, including how to spot phishing emails
  • Share a detailed acceptable use and BYOD policy with students, including what security you expect them to pre-install on their devices
  • Partner with a reputable cybersecurity vendor that protect your organization’s endpoints, data and intellectual property
  • Consider using managed detection and response (MDR) to monitor for suspicious activity 24/7 and help catch and contain threats before they can impact the organization

Global educators already have plenty of problems to deal with, from skills shortages to funding challenges. But ignoring the cyberthreat will not make it go away. If left to escalate, breaches can cause tremendous financial and reputational damage which, for universities in particular, could be disastrous. Ultimately, security breaches diminish the ability of institutions to provide the best possible education. That’s something we should all be concerned about.