Our last post discussed Russian hacking of our power grid. Unfortunately, it’s not just Russia launching cyber attacks, and it’s not only government entities at risk. Colleges and universities are regularly targeted by hackers. We highlight some of these cases in our bi-annual Cyber Roundups.

In late March, the Justice Department announced indictments against nine Iranians for cyber intrusions into more than 300 college and university networks worldwide, with 144 of these higher learning institutions located in the United States. The goal of the hackers was to steal scientific data and intellectual property from colleges and universities around the world.

According to the Justice Department, many of the network hacks started with spear-phishing campaigns. Hackers would target professors via email, posing as colleagues from other learning institutions. Links in these email would direct the victim to what appeared to be their institution’s login page, but was actually a falsified page meant to phish their credentials. Victims, thinking they had been logged out of their account, entered their username and password, effectively handing over the keys to their institution’s network. Over 100,000 professors were targeted and close to 3,800 U.S. school networks were breached. Hackers then sold the stolen credentials allowing buyers to access online library resources, electronic books, and research databases.

We can’t be sure if these colleges and universities offered cyber awareness training, but we do know awareness reduces the success of these phishing attacks. Individual user training must be a part of the solution.