Hackers eye students returning to virtual classes as easy targets

As many students across the country are returning to school online this fall, they face a potential wave of cyberattacks from hackers seeking to take advantage of academic institutions conducting remote classes during the COVID-19 pandemic. 

Universities and schools are scrambling to address threats such as a surge in malicious phishing emails, “Zoombombs” and other kinds of attacks. But with weakened budgets and students learning off campus, they are facing an uphill battle.

“We are seeing a dramatic increase in phishing, this is fully expected, we knew it would happen with any major calamity,” Michael Tran Duff, chief privacy officer and chief information security officer (CISO) at Stanford University, said during a virtual event hosted by software company Proofpoint on Wednesday. 

Stanford was among several universities impacted by a phishing email scheme earlier this year which saw cyber predators using the student emails to apply for fraudulent loans.

Duff noted that malicious actors often target former government officials working at Stanford, but emphasized that the majority of incidents are “targeted indiscriminately.”

“It’s not surprising that these phishing attacks — especially because this is one of the greatest disruptions our country has ever seen — have been more successful maybe than in the past,” Duff said. 

Helen Patton, the CISO of Ohio State University, noted during the same virtual event that while the pandemic had “interrupted the business of cybercrime,” she has seen high levels of phishing emails sent to those affiliated with the university. 

“We see an increase in phishing attacks when our people come back to college in the fall because they know our folks are going to be more off kilter,” Patton said. “When summer came, into May and June, the normal expectation would be to see phishing decrease, we didn’t quite see that this year.”

The concerns of the university officials have been magnified by warnings from federal agencies of foreign cyber attackers targeting groups involved in COVID-19 research. 

The FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency warned in May that Chinese government-backed hackers were targeting U.S.-based groups involved in creating COVID-19 vaccines and treatments, while the U.S., United Kingdom and Canada accused Russian hackers of taking similar actions in July. 

Erik Decker, the chief security and privacy officer at University of Chicago Medicine, said during the Proofpoint event that individuals at his institution had been targeted by “weaponized” coronavirus-themed phishing emails, particularly those aimed at stealing credentials or installing malware. 

Outside of higher education, K-12 students, teachers and officials are also facing cybersecurity woes. 

School districts were already reeling from attacks in 2019 when debilitating ransomware incidents took down school networks across the country, forcing Louisiana to declare a state emergency and at least one district in Arizona to cancel classes for several days. 

The movement of classes to online video conferencing platforms such as Zoom enabled learning to continue during the pandemic, but presented the new threat of “Zoombombing.” During many Zoombombs, classes and work meetings were disrupted by individuals spreading inappropriate messages, including racist comments and pornography. 

Doug Levin, founder and president of consulting firm EdTech Strategies, told The Hill Thursday that Zoombombing was continuing to “terrorize schools” as they begin to reopen this month, emphasizing that the phenomenon was taking place across other video conferencing services as well. 

Levin helps run the K-12 Cybersecurity Resource Center, which tracks cybersecurity incidents suffered by school districts since 2016.

As of this week, the center has tracked over 900 incidents that have ranged from data breaches to ransomware attacks. Levin told The Hill that while he saw a “dramatic drop off” of cyberattacks separate from Zoombombing incidents in March and April, that trend has reversed course as students begin returning to online classes. 

“I’m quite worried about the next month in particular as students are returning to campus and having to bounce back to remote learning,” Levin said. “I think this is going to be introducing a lot of new risks, and I think unlike the Spring when this situation caught everyone off guard, I think we’ve seen enough evidence now that malicious actors understand these trends and they are looking to take advantage of it and to take advantage of schools.”

“I’m starting to see evidence of a strong uptick in incidents,” he added. 

Federal agencies and officials have taken notice of cybersecurity threats to schools. The Department of Education published guidance for students, parents and school officials to help navigate the cyber risks involved in remote learning. The Federal Trade Commission has published guidelines on maintaining child privacy during remote learning and on identifying phishing emails. 

“Since students are online more, they are vulnerable to more threats,” the Department of Education wrote in its guidance. “Such threats may include an increase in cyberbullying, inappropriate content, sexting, sextortion/ransomware, oversharing, and online predation. Phishing emails, text messages, and scams with COVID-19 themes are currently trending.”

Prior to the pandemic, Sens. Gary Peters (D-Mich.) and Rick Scott (R-Fla.) introduced legislation to help protect K-12 educational institutions from cyberattacks, while other bipartisan members of Congress have introduced legislation meant to bolster state and local cyber resources. 

But with schools and universities facing strained resources and budgets during the pandemic, officials are concerned that efforts to enhance security during a highly virtual time may face roadblocks.

“I feel sorry for any university institution’s leader trying to work out what their priority is,” Patton said. “They’ve got to balance all of those needs all the time, so just like everybody else we are facing budget challenges, that doesn’t mean we don’t take security seriously and that doesn’t mean there is not more we can do, that is where we are now.”

Duff added that “we have to work with what we have, at Stanford we are in good shape, we’re OK, but we are shifting things around, shifting our priorities to adjust our protections.”

Levin argued that in order for the education sector to fully address cyber threats, schools need to be designated as critical infrastructure, arguing there was space for “federal leadership here.”

“One thing is clear is that this issue is not going to fade into the background, it’s only going to get more important, COVID or not,” Levin said.