Chances are, if you have a university email address – and most professors and researchers do – you’ve been the target of a foreign cyber-attack in the past few months. Cyber-espionage of Canadian research, including research conducted in universities, has significantly increased since March, so much so that the federal government felt the need to warn researchers.
Over the past seven months, researchers, professors and students at the University of Calgary have seen an increase in attacks seeking confidential data. The institution is conducting a number of studies on COVID-19, including researching the effects of hydroxychloroquine in treating symptoms. According to Linda Dalgetty, U of C’s vice-president, finance and services, the university typically blocks millions of threats each month, and even more since the start of the pandemic. “Examples include denial of service attacks, password brute force attacks, web application attacks and phishing attempts,” says Ms. Dalgetty. (See “A glossary of cyber-attack strategies,” below.)
Hackers are taking advantage of the sense of urgency caused by the current health crisis and changes stemming from the mass transition to remote work. “In the academic field, the most common method is ‘spear phishing,’ a more targeted version of phishing,” explains Benoît Dupont, a criminology professor at Université de Montréal who holds the Canada Research Chair in Cybersecurity. “With spear phishing, attackers will pretend to be a colleague abroad with whom you may have published a scientific article. The approach might be a partnership proposal from a university abroad or a CV from a student looking to do a postdoctoral fellowship.”
Hackers start by conducting reconnaissance to find out who has access to what type of data and information. According to Dr. Dupont, people working with confidential data and information on COVID-19, and employees working in the university IT department, are most at risk – researchers, directors, laboratory staff, technicians and IT experts who have privileged access to IT infrastructure, which holds the near-sum total of an institution’s knowledge.
Tracking down hackers
When carrying out an attack, hackers seldom leave without a trace. “The key is knowing how to track these traces down and how to analyze them,” says Dr. Dupont. “With some exceptions, universities don’t really have the IT resources to carry out this kind of investigation.” That’s why most call on external organizations that specialize in analyzing IT tools and cyber-spying habits. “Without having absolute certainty, these investigations will be able to indicate that a particular attack came from China, for example, because the attackers used a characteristic tool, an identifiable ploy, and looked for a particular type of information. Therefore, it’s more likely to be China than Russia or Iran,” he says, speaking hypothetically.
China, Russia and Iran are the countries most suspected of targeting COVID-19 research around the world since the pandemic began. In July, Canada, the U.S. and the U.K. identified Russian cyber-threat activity targeting research. “These malicious cyber-activities were very likely undertaken to steal information and intellectual property relating to the development and testing of COVID-19 vaccines, and serve to hinder response efforts at a time when healthcare experts and medical researchers need every available resource to help fight the pandemic,” reads a statement released in July from Canada’s Communications Security Establishment (CSE).
A glossary of cyber-attack strategies
- Phishing: sending fraudulent emails on a large-scale to encourage disclosure of information or downloading of malicious code
- Spear phishing: sending a highly personalized fraudulent email to a single user or a limited number of users
- Denial of service attacks: shutting down a machine or network, making it inaccessible
- Brute-force attacks: attempting numerous password combinations to bypass authentication processes
- Web application attacks: using IT system vulnerabilities to infiltrate databases
The CSE did not specify who was the target of these attacks within our borders, but according to a bulletin from the Canadian Centre for Cyber Security published prior to the CSE statement, “In mid-April 2020, a Canadian biopharmaceutical company was compromised by a foreign cyber threat actor, almost certainly attempting to steal its intellectual property.”
Alexis Rapin, researcher-in-residence at the Observatoire des conflits multidimensionnels at Univesité du Québec à Montréal, believes the joint denunciation by the Canadian, American and British governments is significant. “It’s rare for a government to publicly acknowledge that we’re being targeted by foreign cyber-attacks, and rarer still for a government to attribute the attack and say that Russia is behind it.”
In its annual Digital Defence Report release at the end of September, Microsoft says cyber-attacks are increasing in sophistication, with threat actors “using techniques that make them harder to spot and that threaten even the savviest targets.” The company noted a 35 percent increase in attacks compared to 2019. Canada is reportedly the third most targeted country, behind the U.K. and the U.S., by hackers hungry for data from COVID-19 research groups, non-governmental organizations, universities and colleges.
As research being carried out in universities is increasingly focused on public health and safety, Dr. Rapin thinks the federal government should be more interested in protecting it. “The pandemic has highlighted the issue of industrial cyberespionage, which has been around for a much longer time. Perhaps the attacks related to the health crisis will put this issue higher on the agenda and stimulate mechanisms for protection.”
The federal government recently made available a series of tools and resources on its Safeguarding Your Research platform to help university researchers ensure the safety of “Canadian research integrity, intellectual property and business interests.” The government recommends federal research funding agencies examine security processes, while sharing best practices and tools.
U de Montréal’s Dr. Dupont believes universities also have some responsibility. “Researchers can’t be expected to protect themselves effectively against these attacks if universities don’t provide them with the infrastructure and tools they need to do so.” He recommends universities provide researchers and employees with training to identify suspicious messages. Multi-factor authentication methods and artificial intelligence to detect unusual messages are other effective ways of strengthening research security, he says. “Given the level of sophistication and persistence of these attacks, researchers are very ill-equipped to deal with them on their own.”
“Given the level of sophistication and persistence of these attacks, researchers are very ill-equipped to deal with them on their own.”
Studies of the situation in Australia, the U.K. and the U.S. “suggest that universities in these three countries are not well-equipped” to deal with the increase in cyber-threats, Dr. Dupont continues. “As Canadian universities are not very different in terms of resources, culture and the like, we can assume that we are no better prepared in Canada,” he says.
As part of a study conducted in 2019 by the British agency Jisc, whose role is to support higher education institutions’ IT needs, conducted “penetration tests” on about 50 universities in the country. Through simple phishing, Jisc managed to access valuable data from all of the universities within two hours.
“It is imperative that those in higher education continually assess and improve their security capability and for higher education leaders to take the lead in managing cyber risk to protect students, staff and valuable research data from the growing threat of attack,” the report concludes.
Universities Canada (publisher of University Affairs) says the organization is communicating with the federal government to highlight the importance of investments to strengthen cybersecurity in Canadian universities. “These discussions have reinforced the importance of international collaboration in research, academic freedom and institutional autonomy for Canada’s research enterprise, and have increased awareness about potential threats to the integrity and security of Canadian research,” says Universities Canada president Paul Davidson.