Professor lecturing in lecture hall at university showing higher education credentials sold on hacker forums

FBI Alert: Russian Hacker Forums Are Selling Security Credentials of Higher Education Institutions

The FBI warned that cybercriminals were selling thousands of stolen higher education credential information on Russian hacker forums.

According to the FBI’s private industry notification, attackers sold username and password combinations for a few to multiple thousands of dollars on underground and publicly accessible online forums.

Additionally, they posted screenshots to prove that they had access to the compromised institutions.

The alert suggested that the stolen security credentials resulted from ongoing cyber attacks targeting education organizations in the United States.

Criminals have a long history of targeting higher education institutions

The FBI said hackers had targeted higher education institutions for years using various tactics. They employed common but effective battle-tested methods such as spear-phishing.

In 2017, the FBI observed attackers harvesting security credentials from higher education institutions by “cloning university login pages and embedding a credential harvester link in phishing emails.”

The attackers collected login credentials and sent them via an automated email from their server.

In 2021, the attackers adopted COVID-19-themed phishing methods to steal credentials from universities in the United States.

“Such tactics have continued to prevail and ramped up with COVID-themed phishing attacks to steal university login credentials, according to security researchers from a US-based company in December 2021,” the FBI stated.

“Phishing is still highly effective and now has become a numbers game – the more frequent the attacks, the more victims get fatigued and fall prey,” John Gunn, CEO at Token, said.

According to the FBI alert, cybercriminals exfiltrated sensitive information by deploying ransomware against higher education institutions.

Emsisoft’s ‘The State of Ransomware in the US’ report found that 88 education institutions in the U.S., including 26 colleges and universities, suffered ransomware attacks in 2021.

Another study by Sophos (PDF) found that 44% of education institutions suffered a ransomware attack in 2021, with cybercriminals encrypting 58% of the victims.

Data and security credentials stolen during ransomware attacks end up for sale on hacker forums.

Most recently, the cost of ransomware attacks and COVID-19 effects caused the 157-year-old Lincoln college to shut down permanently.

“The education sector continues to make for attractive targets as it’s very rare that a university focuses on its cyber security stack as its #1 priority,” Brad Hong, Customer Success Manager,, said.

“As the majority of colleges in the US, especially ones who are not focused on protecting the intellectual property of their research institutes, have neither the staff nor the budget to implement next-generation cyber tools to combat next generation cyber-attacks, the effort to payoff is several tiers lower than any other industry as a whole.”

Hackers offered .edu email accounts and VPN credentials for sale on Russian hacker forums

In 2022, hackers offered network credentials and virtual private network (VPN) logins from multiple colleges and universities across the United States for sale on Russian hacker forums. Screenshots accompanied the stolen login credentials as proof of access to the compromised institutions.

In 2021, the bureau discovered threat actors posting approximately 36,000 email and password combinations (with duplication) of .edu email accounts on an instant messaging platform.

In 2020, the FBI  found 2,000 unique username and password combinations of .edu sites listed for sale on one of the currently-defunct dark web forums. The seller requested donations to an identified bitcoin wallet, according to the FBI.

Usually, threat actors list credentials for sale on various hacker forums, with some receiving multiple buyers.

However, the FBI did not explain if the attackers listed the stolen higher education credentials on other hacker forums or whether they closed the sale.

Login credentials posted on hacker forums pose credential stuffing risks

The FBI warned that stolen credentials posted on online forums or listed on the dark web could lead to brute force credential stuffing computer network attacks, whereby attackers attempt to log in across multiple internet sites or exploit them for subsequent attacks.

The bureau explained that criminal actors take advantage of users recycling passwords across multiple accounts, internet sites, and services to compromise other online accounts.

Subsequently, the attackers could access victims’ credit cards and personally identifiable information to drain their accounts, commit fraud or crime, or compromise other organizations.

FBI recommendations on protecting higher education institutions

The FBI advised affiliated organizations to create and maintain strong liaison relationships with their regional FBI Field Offices. This relationship would help higher education institutions identify and mitigate potential cyber threats.

Additionally, academic institutions should create and maintain an incident response and communication plan in case of a successful cyber attack.

Educational institutions should also require strong and unique passwords and implement failed login lockout rules.

They should also enable multi-factor authentication (MFA) on critical systems, privileged accounts, emails, and virtual private networks.

Similarly,  institutions of higher learning should restrict account usage to local devices, segment their networks to prevent malware propagation, and monitor abnormal network activity.

They should also implement the principle of least privilege with a clearly defined and narrowed scope and audit usage patterns.

The bureau also recommended phishing awareness training and exercises for students and faculty to educate them on the risks of visiting suspicious websites and clicking on suspicious emails.

Lastly, higher education institutions should secure and monitor RDP usage and track remote connections to their networks.

“We are seeing the same approach to stealing business user credentials which underscores the need for multifactor authentication and a passwordless approach to access control – no credentials means nothing to phish and ends this massive vulnerability,” Gunn added.

Similarly, Hong advised university governing boards to “identify cyber security as a priority, followed by an analysis of what zero-trust might look like in the existing stack, short of purchasing any new tools.”