It’s notoriously difficult to identify individual cyber criminals, but data that Jisc has collected over the past few years has built up a picture of who may be launching attacks on the UK’s colleges and universities based on when they do it.
When the data is collated into graphs, clear patterns emerge.
This graph, below, shows the number of DDoS attacks (designed to slow down or disrupt our members’ networks) that have been seen on the Janet Network over the past year. It also shows the peaks and troughs within the year.
The troughs, when the number of attacks decreases dramatically, always appear during holiday times.
Black bars indicate holiday times – summer 2017, Christmas; Easter, May half term, summer 2018
This pattern could indicate that attackers are students or staff, or others familiar with the academic cycle. Or perhaps the bad guys simply take holidays at the same time as the education sector.
Whichever the case, there’s no point sending a DDoS attack to an organisation if there’s no one there to suffer the consequences.
Finding patterns in attacks
Another interesting finding is that the usual dip in attacks during summer 2018 started earlier than the same time last year.
The heat wave weather this year could have been a factor, but it’s more likely due to international law enforcement activity - Operation Power Off took down a ‘stresser’ website at the end of April.
Stresser sites basically sell DDoS packages to customers who want to attack internet services under the pretence of “testing” them to see how well they would cope with a DDoS attack. Operation Power Off also targeted owners and customers of the stresser service, leading to other similar illicit businesses going offline as well.
This resulting dearth of attacks for hire, alongside the deterrent effect of the police operation, could explain the reduction in attacks we have seen on the Janet Network since April.
In the graph below, the distribution of attacks over the day shows that it’s quieter at night, while the number of attacks start to ramp up at 08:00, peak between 09:00 and early afternoon, and then die off again.
Interestingly, when comparing the time distribution for the first eight months of 2018 to January to August 2017, there have been slightly fewer attacks starting in the early hours, but more in the core of the day and also the peak continues for longer. Last year the number of attacks started to wane from 13:00, this year it is 14:00.
Part of our role is to monitor the network and we noticed several attacks at a college earlier this year, which started at 09:00 and finished at 12:00, began again at 13:00 and finished at around 15:00-16:00. This suggested that the perpetrator was someone who wanted to get online at lunchtime, but didn’t want to do any work during the day.
Could a member of staff get away with that, or was a student to blame?
Why do people carry out these attacks?
We can only speculate on the reasons why students or staff attack their college or university - for the “fun” of disruption and kudos among peers of launching an attack that stops internet access and causes chaos, or because they bear a grudge for a poor grade or failure to secure a pay rise.
Occasionally, we can pinpoint the exact reason for an attack.
A while back we noticed a DDoS attack against a university, so we activated the foundation DDoS mitigation service, which reduces the impact of an attack. A couple of hours later the same institution was targeted again.
The attacks went on for four days and most were occurring at night, so we worked with the university to identify the target. This turned out to be the halls of residence, which raised further questions. We looked at what else was happening on the network at the same time as the attacks and we found a lot of traffic going to online gaming websites.
Further investigation showed that a student in halls had been playing an online game and had attacked another gamer to try and secure an advantage. What we were seeing coming over the network and into the hall of residence was a revenge DDoS attack.
There are several examples of students attacking colleges or universities, and their motivation varies. One student convicted of offences connected to the TalkTalk incident in 2015 stated he was “just showing off to [his] mates”. That student had also targeted the University of Manchester and Cambridge University Library.
Adam Mudd was also prosecuted for cyber attacks against his college. Mudd admitted to attacking West Herts College, where he was a computer science student. This attack also affected 70 other institutions in the region, including the universities of East Anglia, Essex and Cambridge. Mudd’s explanation for one of his attacks is that the college had not acted when he had reported that he had been mugged.
If a student is caught engaging in illegal online activity like this, it would be up to the college or university to discipline that student. If they want to try and prosecute, they can ask us to help provide evidence, but this doesn’t happen often.
Most of the time when cyber attackers are caught and convicted it’s because they make mistakes. For example, a former student from Stockport who was in court last year for attacking the Janet Network, the National Crime Agency and several multi-national businesses was identified because he failed to cover his tracks.
We operate a zero-tolerance policy to attackers and gave evidence to the police which helped trace and convict this young man. In his case, the motivation was money: Jack Chappell was working with a criminal gang.
Time to get serious
So, there is evidence both circumstantial and from the justice system to suggest that students and staff may well be responsible for many of the DDoS attacks we see on the Janet Network.
Jisc’s security operations centre is there to help mitigate attacks on our members, but colleges and universities are responsible for their own cyber space and should not underestimate the potentially huge financial and reputational impact of a network outage.
Unfortunately, there are far more serious criminal players at work that organisations ignore at their peril. It’s likely that some of these more sophisticated attacks are designed to steal intellectual property, targeting sensitive and valuable information held at universities and research centres.
The blame could lie with criminals intent on selling information to the highest bidder, a business wanting to uncover a competitor’s secrets, or a foreign power trying to gain political leverage. Security agencies, including the National Cyber Security Centre and the FBI, have already warned of state-sponsored attacks by countries including Russia, and the education sector is just as much at risk as any other in the UK.
When it comes to cyber security, complacency is dangerous. We do everything we can to help keep our members’ safe, but there’s no such thing as a 100% secure network.