Cyber Risk in the Education Sector
Understand more about cyber risk in this sector.
Cyber Risk Graph
Explore how this sector relates to the wider risk graph
Threat Reports
Publicly available threat reporting on cyber attacks against Education.
APT45: North Korea’s Digital Military Machine
This report from threat intelligence analysts at Google's Mandiant marks the graduation of this cyber actor to a fully designated APT - APT45. The ...
Flax Typhoon using legitimate software to quietly access Taiwanese organizations
This blog post by Microsoft Threat Intelligence outlines the Flax Typhoon intrusion set and TTPs demonstrated by the group. It describes the actor ...
Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials
This blog post by researchers at Microsoft Threat Intelligence outlines activity they observed by Forest Blizzard using a tool they named ...
GOLD IONIC DEPLOYS INC RANSOMWARE
This blog post from Secureworks describes the intrusion set they track as GOLD IONIC, also known as INC Ransom Group. The post outlines GOLD IONIC ...
From Social Engineering to DMARC Abuse: TA427’s Art of Information Gathering
This blog post from Proofpoint's Threat Research Team details the TA427 group who they link to Kimsuky and attribute to North Korea. TA427 conduct ...
APT41 (Double Dragon): A Dual Espionage and Cyber Crime Operation
This 2022 report by researchers at FireEye threat intelligence outlines the intrusion set they designate as APT41. They describe the group as 'a ...
Unveiling TeleBoyi: Chinese APT Group Targeting Critical Infrastructure Worldwide
This presentation from TeamT5 describes the intrusion set they refer to as TeleBoyi and was presented at JPCERT's JSAC2024 conference on January ...
The Operations of Winnti group
This report from researchers at NTT describes activity which they attribute to the Winnti Group (who they refer to as ENT-1) and identify overlaps ...
Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect
This blog post by researchers at Mandiant describes how the threat actor UNC5174 exploited vulnerabilities in F5 BIG-IP appliances and Connectwise ...
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
This article by researchers at Trend Micro discusses an Advanced Persistent Threat (APT) group they name Earth Krahang who have been observed ...
GhostSec’s joint ransomware operation and evolution of their arsenal
This Threat Spotlight from Cisco Talos describes the evolution of GhostSec's ransomware operations including their work with the Stormous ...
StopRansomware: Rhysida Ransomware
This is a joint Cybersecurity Advisory by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and ...
I-Soon leak: KELA’s insights
This blog post outlines KELA's analysis of the 2024 I-SOON data leak. According to the article, I-Soon had relationships with Chinese governmental ...
StopRansomware: Phobos Ransomware
This is a joint Cybersecurity Advisory produced by CISA, the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC). It ...
APT37 (REAPER) - The Overlooked North Korean Actor
This special report by FireEye discusses an investigation into APT37, a suspected North Korean cyber espionage group. According to the report, ...
SVR cyber actors adapt tactics for initial cloud access
This advisory from the UK's National Cyber Security Centre (NCSC) outlines tactics, techniques and procedures (TTPs) used by the cyber actors ...
Earth Lusca Uses Geopolitical Lure to Target Taiwan Before Elections
Blog post from researchers at Trend Micro discussing Earth Lusca and potential links to Chinese contractor I-Soon. Earth Lusca is a China-linked ...
RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale
This report from Recorded Future's Insikt Group outlines activity by the Red Hotel intrusion set. RedHotel is identified as a prominent Chinese ...
Russia-Aligned TAG-70 Targets European Government and Military Mail Servers in New Espionage Campaign
The Insikt Group has observed the TAG-70 using cross-site scripting (XSS) vulnerabilities to target Roundcube webmail servers in Europe. The ...
CharmingCypress: Innovating Persistence
This report by Volexity outlines campaigns conducted by the actor they call CharmingCypress (aka Charming Kitten). The report describes targeting ...
HAFNIUM targeting Exchange Servers with 0-day exploits
In March 2021 Microsoft detected multiple zero-day exploits being used as part of a widespread campaign by HAFNIUM / Silk Typhoon. This report ...
MITRE ATT&CK Techniques
MITRE ATT&CK techniques observed in use against Education.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1036 | Masquerading | Defense Evasion |
| T1546 | Event Triggered Execution | Persistence, Privilege Escalation |
| T1059 | Command and Scripting Interpreter | Execution |
| T1550 | Use Alternate Authentication Material | Defense Evasion, Lateral Movement |
| T1543 | Create or Modify System Process | Persistence, Privilege Escalation |
| T1572 | Protocol Tunneling | Command and Control |
| T1003 | OS Credential Dumping | Credential Access |
| T1505 | Server Software Component | Persistence |
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1105 | Ingress Tool Transfer | Command and Control |
| T1083 | File and Directory Discovery | Discovery |
| T1070.004 | File Deletion | Defense Evasion |
| T1059.004 | Unix Shell | Execution |
| T1140 | Deobfuscate/Decode Files or Information | Defense Evasion |
| T1222.002 | Linux and Mac File and Directory Permissions Modification | Defense Evasion |
| T1049 | System Network Connections Discovery | Discovery |
| T1601.001 | Patch System Image | Defense Evasion |
| T1003.008 | /etc/passwd and /etc/shadow | Credential Access |
| T1573.002 | Asymmetric Cryptography | Command and Control |
| T1027 | Obfuscated Files or Information | Defense Evasion |
| T1016 | System Network Configuration Discovery | Discovery |
| T1082 | System Information Discovery | Discovery |
| T1531 | Account Access Removal | Impact |
| T1095 | Non-Application Layer Protocol | Command and Control |
| T1608.003 | Install Digital Certificate | Resource Development |
| T1136.001 | Local Account | Persistence |
| T1595.003 | Wordlist Scanning | Reconnaissance |
| T1020 | Automated Exfiltration | Exfiltration |
| T1566.002 | Spearphishing Link | Initial Access |
| T1057 | Process Discovery | Discovery |
| T1087.002 | Domain Account | Discovery |
| T1036.007 | Double File Extension | Defense Evasion |
| T1583.001 | Domains | Resource Development |
| T1059.006 | Python | Execution |
| T1210 | Exploitation of Remote Services | Lateral Movement |
| T1003.001 | LSASS Memory | Credential Access |
| T1574.002 | DLL Side-Loading | Defense Evasion, Persistence, Privilege Escalation |
| T1110.003 | Password Spraying | Credential Access |
| T1059.001 | PowerShell | Execution |
| T1543.003 | Windows Service | Persistence, Privilege Escalation |
| T1059.003 | Windows Command Shell | Execution |
| T1586.002 | Email Accounts | Resource Development |
| T1584.004 | Server | Resource Development |
| T1112 | Modify Registry | Defense Evasion |
| T1078 | Valid Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1608.005 | Link Target | Resource Development |
| T1078.003 | Local Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1036.005 | Match Legitimate Name or Location | Defense Evasion |
| T1053.005 | Scheduled Task | Execution, Persistence, Privilege Escalation |
| T1003.002 | Security Account Manager | Credential Access |
| T1588.001 | Malware | Resource Development |
| T1033 | System Owner/User Discovery | Discovery |
| T1595.002 | Vulnerability Scanning | Reconnaissance |
| T1588.003 | Code Signing Certificates | Resource Development |
| T1592 | Gather Victim Host Information | Reconnaissance |
| T1505.003 | Web Shell | Persistence |
| T1087.001 | Local Account | Discovery |
| T1021.006 | Windows Remote Management | Lateral Movement |
| T1047 | Windows Management Instrumentation | Execution |
| T1539 | Steal Web Session Cookie | Credential Access |
| T1133 | External Remote Services | Initial Access, Persistence |
| T1608.001 | Upload Malware | Resource Development |
| T1608.002 | Upload Tool | Resource Development |
| T1569.002 | Service Execution | Execution |
| T1583.003 | Virtual Private Server | Resource Development |
| T1595.001 | Scanning IP Blocks | Reconnaissance |
| T1203 | Exploitation for Client Execution | Execution |
| T1204.002 | Malicious File | Execution |
| T1068 | Exploitation for Privilege Escalation | Privilege Escalation |
| T1114 | Email Collection | Collection |
| T1071.001 | Web Protocols | Command and Control |
| T1069.002 | Domain Groups | Discovery |
| T1534 | Internal Spearphishing | Lateral Movement |
| T1199 | Trusted Relationship | Initial Access |
| T1656 | Impersonation | Defense Evasion |
| T1573 | Encrypted Channel | Command and Control |
| T1007 | System Service Discovery | Discovery |
| T1590 | Gather Victim Network Information | Reconnaissance |
| T1566.001 | Spearphishing Attachment | Initial Access |
| T1119 | Automated Collection | Collection |
| T1486 | Data Encrypted for Impact | Impact |
| T1204 | User Execution | Execution |
| T1560 | Archive Collected Data | Collection |
| T1010 | Application Window Discovery | Discovery |
| T1071 | Application Layer Protocol | Command and Control |
| T1090.001 | Internal Proxy | Command and Control |
| T1564.001 | Hidden Files and Directories | Defense Evasion |
| T1106 | Native API | Execution |
| T1202 | Indirect Command Execution | Defense Evasion |
| T1048 | Exfiltration Over Alternative Protocol | Exfiltration |
| T1021 | Remote Services | Lateral Movement |
| T1074 | Data Staged | Collection |
| T1561 | Disk Wipe | Impact |
| T1578 | Modify Cloud Compute Infrastructure | Defense Evasion |
| T1129 | Shared Modules | Execution |
| T1485 | Data Destruction | Impact |
| T1547.001 | Registry Run Keys / Startup Folder | Persistence, Privilege Escalation |
| T1564.003 | Hidden Window | Defense Evasion |
| T1219 | Remote Access Software | Command and Control |
| T1587 | Develop Capabilities | Resource Development |
| T1021.004 | SSH | Lateral Movement |
| T1657 | Financial Theft | Impact |
| T1021.001 | Remote Desktop Protocol | Lateral Movement |
| T1070.001 | Clear Windows Event Logs | Defense Evasion |
| T1069.001 | Local Groups | Discovery |
| T1566 | Phishing | Initial Access |
| T1482 | Domain Trust Discovery | Discovery |
| T1003.003 | NTDS | Credential Access |
| T1055.002 | Portable Executable Injection | Defense Evasion, Privilege Escalation |
| T1018 | Remote System Discovery | Discovery |
| T1555 | Credentials from Password Stores | Credential Access |
| T1562 | Impair Defenses | Defense Evasion |
| T1027.002 | Software Packing | Defense Evasion |
| T1001.003 | Protocol Impersonation | Command and Control |
| T1562.004 | Disable or Modify System Firewall | Defense Evasion |
| T1567.002 | Exfiltration to Cloud Storage | Exfiltration |
| T1110 | Brute Force | Credential Access |
| T1055.004 | Asynchronous Procedure Call | Defense Evasion, Privilege Escalation |
| T1588.002 | Tool | Resource Development |
| T1490 | Inhibit System Recovery | Impact |
| T1027.009 | Embedded Payloads | Defense Evasion |
| T1555.003 | Credentials from Web Browsers | Credential Access |
| T1134.002 | Create Process with Token | Defense Evasion, Privilege Escalation |
| T1218.005 | Mshta | Defense Evasion |
| T1003.005 | Cached Domain Credentials | Credential Access |
| T1134.001 | Token Impersonation/Theft | Defense Evasion, Privilege Escalation |
| T1555.005 | Password Managers | Credential Access |
| T1593 | Search Open Websites/Domains | Reconnaissance |
| T1598 | Phishing for Information | Reconnaissance |
| T1585 | Establish Accounts | Resource Development |
| T1071.002 | File Transfer Protocols | Command and Control |
| T1090.002 | External Proxy | Command and Control |
| T1098.005 | Device Registration | Persistence, Privilege Escalation |
| T1621 | Multi-Factor Authentication Request Generation | Credential Access |
| T1528 | Steal Application Access Token | Credential Access |
| T1078.004 | Cloud Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1027.012 | LNK Icon Smuggling | Defense Evasion |
| T1001 | Data Obfuscation | Command and Control |
| T1204.001 | Malicious Link | Execution |
| T1041 | Exfiltration Over C2 Channel | Exfiltration |
| T1059.007 | JavaScript | Execution |
| T1132 | Data Encoding | Command and Control |
| T1574.001 | DLL Search Order Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1553.002 | Code Signing | Defense Evasion |
| T1571 | Non-Standard Port | Command and Control |
| T1056 | Input Capture | Collection, Credential Access |
| T1212 | Exploitation for Credential Access | Credential Access |
| T1547.004 | Winlogon Helper DLL | Persistence, Privilege Escalation |