Like it or not, universities are uniquely positioned to be susceptible to various kinds of exploitation and digital attacks as a result of the arrival of cryptocurrencies. The most challenging part is that these threats are difficult to identify until after the fact.
When you combine unfettered access to electricity, vast internal computer networks, large numbers of staff with administrative permissions and tech-savvy young adults, things are going to get interesting pretty quickly.
The threats come from two areas- malware and mining. We’ll get into the what, how and why later on. But first look at this venn diagram I spent seven minutes making.
If you’re new to Malware, let me explain how……ahh screw it. “Hey, Siri…”
So basically, malware is just shorthand for malicious software. It may infect a single host or an entire network by spreading through the digital plumbing. There are a number of types of malware out there; Adware, Spyware, Trojans. However, there’s one type that’s seeing explosive growth. Enter ransomware.
The most important technological shift to understand is that bitcoin brings, for the first time, a form of digitally-native value. The subsequent avalanche of other cryptocurrencies, some of which are anonymous, means that attackers have a convenient and hard to trace payment method with which to monetize security vulnerabilities.
“The problem that cybercriminals have always had, was how to turn data into currency. Now data is currency.”
-Oliver Rochford, Research Director at Tenable Network Security
Think of it this way- previously, if someone could hack into your email account they could read your emails or send spam from your address. Today, someone could compromise your email account and essentially hold it hostage, demanding that you pay them (in the form of a cryptocurrency) to regain access. Might not sound like a big deal, but if you apply the same method to say the reservations system of a major international airline. Shit. Gets. Real.
How does ransomware get into a system? Well, initially through a malicious link or attachment contained within a phishing email. Combine this with a networked computer running an outdated and exploitable operating system and you can potentially give up access to a lot of sensitive data. In targeted attacks, these can be very difficult to identify as shown by the example below (source: EDTS).
Universities, like many large organisations, can have thousands of staff who require regular access to private shared databases (employee benefits, class scheduling, student accounts, etc). The likelihood that someone unsuspectingly downloads a malicious file is high, whether it infects the system depends on the grade of cyber security and the protocols in place.
Here’s a short list of recent headline-
I hope you didn’t just click on any of those links! Relax, I’m kidding.
The recent spate of incidents has seen the FBI firmly advised against paying any kind of ransom to attackers due to the fact that there’s no guarantee that the data will be unlocked (decrypted). Though, in certain cases, where backups of critical data aren’t available, some educational institutions have felt they’ve had no choice.
This is a more straightforward one to grasp. Certain cryptocurrencies are accrued through a function called Proof of Work, more commonly known as ‘mining’. Basically this means expending computational power to solve a defined problem in order to potentially be rewarded with fresh coins. You may have seem images on the news of giant warehouses filled wall-to-wall with tiny black boxes, humming away 24/7 in the pursuit of bitcoins, but there are other cryptocurrencies that don’t require such scale to be cost-effective. In fact certain cryptocurrencies can be mined using a moderately-powerful gaming laptop.
So your main input costs here are hardware and energy.
Dorm Room Mining
Now consider that universities by nature will create fairly high concentrations of technologically adept individuals. They’re often cash-strapped, sustaining themselves on a steady diet of ramen and taurine. It doesn’t take long for some to figure out that they can take advantage of the seemingly ‘free’ electricity on offer in their dorm room, combining it with hardware, in order to turn it into crypto. If you’re not factoring in electricity costs into the equation, you can afford to mine certain cryptocurrencies that the average person would have to do at a loss. Below is a breakdown of the traffic sources of crypto mining according to sector in 2018. The data was captured by Cisco who monitored the network connections of some cooperative clients.
Yea, that’s a significant energy bill being footed by the rest of the student population over time through fee increases. I can feel the disappointment in your bones.
Mining + Malware =
When you combine these two concepts you create a whole new threat. If it’s possible to mine certain cryptocurrencies using your average desktop PC, then any underutilised large computing network with weak security becomes an attractive target for hijacking.
Just as carjacking involves the unauthorised use of your vehicle, cryptojacking involves the unauthorised use of your computing hardware. In this case, you may not even be aware it’s happening. When you use your computer (laptop, PC, smartphone) it’s likely that you’re not using ALL of the computing power available. This excess power can now be monetised, by this new kind of malware, for the purpose of mining. St. Francis Xavier University in Nova Scotia experienced just this in late 2018.
“The cryptojacking attack started on Nov. 1, targeting the university’s considerable network infrastructure for unauthorised mining of a yet-to-be-identified cryptocurrency. After the malware was detected, the school immediately pulled its entire network offline, effectively paralysing all activities relating to its online course system, cloud storage, email services, debit transactions, and Wi-Fi.” — Yahoo Finance
Shutting down your entire university network for a week is less than ideal. The costs to St. Francis Xavier will be immense in terms of security upgrades, lost productivity, reputational damage, etc. The part that’s most worrying is that the cost to launch such an attack is negligible. So if you take anything away from reading this, it’s that both excess power (electricity or computational) and data now have a monetary value.
The harsh truth is that things are likely to get worse before they get better. With the advent of anonymous online identities and now anonymous and untraceable payment methods, we have to work simply with the economic incentives behind such actions and attacks when preparing strategies to defend against them. The one thing that is abundantly clear is that universities will be in the unfortunate position of being among the first forced to figure out solutions to these largely new threats. Lucky for us, this just happens to be one of their greatest competencies.