• Cyber Activities Division

Cyber Espionage Focusing on Universities: Is this a game or is it real?

Updated: Apr 10, 2019

Georgia Tech recently announced that a threat actor accessed personally identifiable information (PII) of up to 1.3 million current and former students, faculty and staff, as well as student applicants.[1] According to the university, the breach was first identified on 21st March 2019 after developers noticed a significant performance impact in one of its web applications. Upon investigation, the breach occurred on 14th December 2018 by exploiting a vulnerability in a web application, which allowed access to names, addresses, internal identification numbers, dates of birth, and social security numbers.[2] The vulnerability has since been patched but attribution remains unreported.

This incident may remind some people of the movie WarGames, in which Matthew Broderick’s character hacks into the school’s computer system and alters his grades. However, cyber campaigns targeting universities are often the work of nation states conducting espionage. This is observed in one instance, when nine Iranians working on behalf of Iran’s Islamic Revolutionary Guard Corps (IRGC) conducted a “coordinated campaign of cyber intrusions into computer systems belonging to 144 US universities and 176 universities across 21 foreign countries.”[3] In another instance, a china-based threat actor referred to as APT40, targeted more than a dozen universities, including the University of Hawaii, University of Washington and Massachusetts Institute of Technology.[4] Universities represent a target rich environment for cyber espionage threat actors because they possess valuable intelligence on new technologies, military research, and specific persons of interest.

Matthew Broderick changing grades in WarGames


Threat actors from Iran, North Korea, China and other nations are likely attempting to infiltrate universities in order to obtain research on new and emerging technologies. Universities with highly ranked engineering programs present valuable opportunities for nation states to obtain advanced technology that can benefit their economies and militaries. The previously mentioned china-based threat actor APT40, targeted more than a dozen universities for research about maritime technology being developed for military use.[5] In the case of Georgia Tech, it is likely considered a high value target for cyber espionage because it ranks 7th as the best engineering school in the US and in 2018, was awarded $207.1 million in new research funds for more than 75 engineering research centers.[6] [7] Furthermore, universities like Georgia Tech often obtain research grants and support initiatives by the US Government.[8] [9] This year Georgia Tech received a $4.5 million research grant for a project sponsored by the Defense Advanced Research Project Agency (DARPA), which is an agency of the US Department of Defense.

According to Georgia Tech, the recent data breach allowed access to sensitive PII and not specialized or sensitive research. Some potential motives for cyber espionage threat actors wanting to collect PII from a university may include targeting at least one of the following types of individuals:

  1. Dissidents

  2. Family Members of Government Officials

  3. Faculty and Staff


Dissidents are a popular target for repressive and authoritarian nation states. PII obtained from a university, such as an address, could support surveillance of dissidents living abroad. An example of a cyber threat actor targeting dissidents in academia is observed with Iran-based threat actor APT35 (a.k.a. Charming Kitten). According to a security research organization, APT35 focuses on Iranian dissidents living in Iran or abroad, some of which focus on individuals of interest to Iran in the fields of academic research.[10]

Family Members of Government Officials

The motive and intent of surveilling family members of government officials is analogous to dissidents. Many political elites from countries like Iran and China send their children to study in the West. Maryam Fereydoun, who is the niece of Iran’s president, Hassan Rouhani, studied at Columbia University and the London School of Economics.[11] However, threat actors may also target family members of adverse government officials. Acquiring intelligence on a specific target often includes details of family members and social networks that is used to create detailed analysis of relevant all source intelligence collection.

Faculty and Staff

The likely intent of targeting PII of faculty and staff is to eventually acquire their research or recruit them as agents. Depending on the PII obtained, a threat actor could launch a cyber campaign targeting the individual’s computer or conduct a “snatch and grab” type operation as observed with Professor Anne-Marie Brady, a China specialist at the University of Canterbury in Christchurch, New Zealand. In February 2018, her home was burglarized, and the suspect(s) ignored cash and other valuables, in favor of a laptop, on which she had conducted her most recent research, and a cellphone she had used on travels to China.[12] According to former CIA and Pentagon analysts, the break-in points to a nation state or a state-sponsored entity.[13]


It is more important than ever for universities to keep their networks safe and practice security awareness. Universities will continue to face constant threats from cyber espionage threat actors. Furthermore, attacks on universities that conduct military research create a new dilemma for governments and their national security. Universities often have weak security protocols that enable a threat actor to more easily breach their network compared to military entity. Thus, universities become the weakest leak in obtaining sensitive data that is crucial to national security interests. This means universities need to regularly harden their networks from threats and begin an open dialogue with government entities to help ensure they are not the weakest leak in jeopardizing national security.