The higher education sector is a prime target for cybercriminals and nation-state aligned threat actors, according to Andy Ellis, a seasoned cyber security expert and member of Quorum Cyber’s Strategic Advisory Board (SAB). “This is the place where CISOs have the hardest job and the least control,” he said in our recent Global Cyber Risk Outlook Report 2025 webinar.

Andy explained that this wide range of adversaries targets the sector’s higher education institutions because they store valuable intellectual property (IP) and don’t always have the resources to protect themselves to the level required. Elaborating further, he said that universities and colleges are very difficult to secure around the clock because students, researchers, and staff often use their own devices, work with a broad range of technologies, and sometimes bypass their institution’s security rules.

Our Global Cyber Risk Outlook Report 2025, provides comprehensive intelligence on the threats facing various industries, with a specific section focusing on higher education. Notably, the report reveals a staggering 400% increase in tracked threat actors worldwide. As James Allman-Talbot, Quorum Cyber’s Head of Incident Response and Threat Intelligence, said in the webinar, it’s crucial to understand the capabilities that threat actors have and which organisations they target. “Understanding this will help us protect ourselves as a community.”

The Global Cyber Risk Outlook Report 2025 details the threats facing universities and colleges and shares some important insights into what types of groups target the higher education sector and where those groups originate from.

Nation-state threats

To varying degrees, the higher education sector is a target of all nation-states in the Big Four. The Big Four nation-states in cyber security – China, Russia, Iran, and North Korea – are known for their advanced and often aggressive cyber capabilities, engaging in various forms of cyber espionage, attacks, and influence operations.

Our Threat Intelligence (TI) team believes China is a severe threat, as are financially motivated cybercriminals. The team sees Iran and North Korea as substantial threats, while Russia and hacktivists are a moderate threat to the sector.

Chinese nation-state-sponsored espionage

Chinese state-sponsored espionage is anticipated to pose a significant threat to the higher education sector because Beijing aims to extract valuable data from advanced research facilities to support its Made in China 2025 initiative, which focuses on advancing technological products for global markets. Furthermore, there is a plausible risk that this targeting will be intensified by insider threat actors infiltrating Western universities that have established campuses within mainland China.

Intelligence gathering on foreign affairs experts

North Korean state-sponsored espionage campaigns are highly likely to persist in targeting the Western higher education sector. This is driven by North Korea’s desire to gain deeper strategic insights into Western political strategies concerning the Korean Peninsula. These cyber espionage efforts are expected to exploit improperly configured DNS DMARC security policies, allowing attackers to impersonate academics and journalists, as observed in 2024.

Financially motivated cybercrime

Stealware operators will almost certainly exploit the vulnerabilities posed by students using personal and university email accounts on educational platforms. They aim to steal credentials and session data, which are then sold on cybercriminal forums for financial gain.

Stealware is a type of malicious software designed to intercept and steal sensitive information such as login credentials, financial data, or personal information from a victim’s device, often by redirecting web traffic or capturing keystrokes.

Additionally, as ransomware capabilities continue to advance, the higher education sector is likely to remain a target for dedicated operations such as Rhysida, as our threat intelligence team observed throughout the last 12 months. These campaigns are expected to take advantage of vulnerabilities and weaknesses in third-party supply chains, either through zero-day exploits or after public disclosure of the vulnerabilities (N-day).

Pro-Palestinian hacktivism

Pro-Palestinian hacktivist groups will likely continue to pose a risk to the Western education sector with threat groups such as RipperSec demonstrating hostile intent to disrupt UK university websites with distributed denial-of-service (DDoS) and web defacement attacks to protest against Israeli support.

Learn more about the threats facing your company today

Quorum Cyber’s Chief Threat Officer Paul Caiazzo summarises what you’ll learn in the new Global Cyber Risk Outlook Report in a five-minute video. The report contains detailed findings about the cyber threats facing multiple sectors, including hacktivism, geopolitics, organised cybercrime, and attack vectors.

If you would like to join the cyber security conversation with Quorum Cyber and Queen Mary University of London, we’re hosting ‘Cyber Security in Education: A Collaborative Roundtable’ on 30th April. The event, featuring top-tier experts in data security and incident response, is open for registrations.