Phishing attack ‘highlights flaws in Chinese universities’ cybersecurity’

Recent suspected cybersecurity incidents involving higher education providers in China have highlighted how some institutions lack the awareness and the infrastructure to protect themselves against attacks, according to an expert.

Students and staff at Northwestern Polytechnical University in Xi’an were recently targeted by phishing emails that contained keywords such as “research” and “assessment” in the subject line. Anyone who clicked the link in the email allowed a Trojan horse programme to steal data and personal information.

According to a public statement, the institution immediately informed the police, whose initial investigation indicated that “it was a cyberattack launched by overseas hackers groups and criminals”. The phishing emails did not cause massive a data leak or a major cybersecurity incident, the statement said, but “exposed significant potential risk to the daily work and life of the university”.

“In general, institutions that are specialised in high technology and military industry do better at cybersecurity, whereas other institutions fall behind in both awareness and infrastructure,” Liu Deliang, a law professor at Beijing Normal University and dean of the Asia-Pacific Institute for Cyber-Law Studies, told Times Higher Education.

“Just like the conflict between spear and shield,” he said, “there is no absolute safety as the spear is always actively looking for opportunities. Institutions need to recognise the importance of cybersecurity and build long-lasting awareness and constant defence against attacks.”

Another suspected incident involving Chaoxing Xuexitong, a leading online learning app, has added to the concerns about cybersecurity.

It was reported to have suffered a data breach, according to local media. Students alleged on social media that more than 170 million records – including student names, university affiliations, telephone numbers and email addresses – in its database had been “put on the market” for sale.

According to the company’s marketing material, it has more than 40 million users and was “the most frequently used app by universities for online teaching during the 2020 Covid outbreak”.

In a statement, Chaoxing Xuexitong said that it had checked its systems and had “not found clear and solid evidence of data breach so far”, but it added that the police had been called to investigate.

The incident highlighted faculties’ data safety when using products or services provided by outside vendors, Professor Liu said. “Staff at some universities still mix personal and work email addresses, while some do not realise that important university data must not be stored or hosted on unsafe servers or the cloud. These are just examples of lacking awareness, where training and education is needed.”

Universities across the world have had to contend with a growing number of cyberattacks, with a recent report finding that 92 per cent of institutions had identified a breach in the past 12 months.

Providers have been told to ensure that they are getting the basics right, and putting in mandatory training for staff, to protect their institutions.

karen.liu@timeshighereducation.com